[{"id":3768469,"new_policy":"Nintendo’s goal is to provide a secure environment for our customers so that they can enjoy our games and services. In order to achieve this goal, Nintendo is interested in receiving vulnerability information that researchers may discover regarding Nintendo’s platforms.  Currently, in the context of the HackerOne program, Nintendo is only interested in vulnerability information regarding Nintendo Switch 2 / Nintendo Switch / Nintendo Switch Lite and is not seeking vulnerability information regarding other Nintendo platforms, network service, or server-related information.\n\nBelow are examples of types of activities that Nintendo is focused on preventing:\n* Piracy, including:\n       * Game application dumping\n       * Copied game application execution\n* Cheating, including:\n       * Game application modification\n       * Save data modification\n* Dissemination of inappropriate content to children\n\nBelow are examples of vulnerabilities that Nintendo is interested in receiving information about:\n* System vulnerabilities regarding Nintendo Switch 2 / Nintendo Switch / Nintendo Switch Lite\n       * Privilege escalation from userland\n       * Kernel takeover\n       * ARM® TrustZone® takeover\n* Vulnerabilities regarding Nintendo Switch 2 / Nintendo Switch application titles published by Nintendo in all countries and regions where they are sold\n       * Userland takeover\n- Low-cost cloning\n- Security key detection via information leaks\n\nNintendo reserves the right to choose whether it will address any reported vulnerabilities.\nARM and TrustZone are registered trademarks of ARM Limited (or its subsidiaries) in the EU and/or elsewhere. All rights reserved.\n\n# Rewards\n\nNintendo will pay rewards to the first reporter of qualifying vulnerability information ranging from $100 USD to $50,000 USD. Only one reward per qualifying piece of vulnerability information will be awarded.  Nintendo will determine at its discretion whether the vulnerability information qualifies for a reward as well as the amount of any such reward. Nintendo does not disclose how the reward amount is calculated. Vulnerability information that is already known to Nintendo or the public, for example, does not qualify for a reward.  Rewards will not be issued to individuals who are on sanction lists, or who are in countries on sanction lists.  \n\nThe reward amount depends on the importance of the information and the quality of the report. In general, the importance of the information is higher if the vulnerability is severe, easy-to-exploit, etc.\n\nA report is evaluated to be high quality if you show that the vulnerability is exploitable by providing a proof of concept (functional exploit code is even better). If you don’t yet have a proof of concept, or functional exploit code, we still encourage you to report to us sooner rather than later such that you do not to lose the opportunity to become the first reporter; you can then submit a proof of concept or functional exploit code later (within three (3) weeks of the initial report) and it will be considered to be a part of the report. \n\nThe reward will be paid after the reported vulnerability has been fixed by Nintendo, but no later than three (3) months after Nintendo has confirmed the reported vulnerability.\n\nNintendo will not disclose to the public the amount of any reward distributed by Nintendo.\n\n# Disclosure of vulnerability information\n\nBecause older system versions can continue to exploit vulnerabilities that have been reported to Nintendo by researchers and subsequently fixed by Nintendo, you agree that you shall not disclose vulnerability information reported to Nintendo to any other third party until granted permission to do so from Nintendo.\nUsually, we grant such permission within two to four weeks from the release of the fix that addresses the vulnerability.\n\nWhen releasing fixes for vulnerabilities, Nintendo may issue security advisories intended to inform customers of specific details of those vulnerabilities.\n\n# Report template\n\nPlease include the details requested below when submitting vulnerability information to Nintendo. All such reports should be submitted in English.\n- State the name of the applicable platform (e.g., Nintendo Switch 2)\n- State the system version number(s) that the vulnerability applies to\n- Describe all of the steps required to reproduce the issue\n- Describe the details of what the vulnerability is and, if possible, potential ways to fix the vulnerability\n- Describe, if applicable, how individuals might be able to utilize the vulnerability information to impair the applicable system(s) and/or game(s) by showing a proof of concept or functional exploit code. You are allowed to submit a proof of concept or functional exploit code later (within three (3) weeks), after the initial submission of the report.\n- Confirm that the vulnerability is not widely known to the public.\n\nIn addition to the above, you may submit comments on vulnerability information that has already been disclosed by Nintendo.\nPlease ensure to include the CVE number when doing so.\n\n# Legal\n\nYou agree that you will not violate any law, or disrupt or compromise any data that is not your own in connection with reporting vulnerability information to Nintendo.  \nNintendo reserves all rights against any illegal use of the reported vulnerability information.\n\nNintendo reserves the right to modify the terms of this program at any time.  \n\nYou have no obligation to provide Nintendo with the abovementioned security and vulnerability information. However, you agree that by submitting such information to Nintendo, even if the information is not eligible for a reward, you grant Nintendo a worldwide, perpetual, irrevocable, non-exclusive, transferable, sublicenseable, fully-paid and royalty-free license under any and all intellectual property rights that you own or control to use, copy, modify, create derivative works based upon and otherwise exploit such information for any purpose.\n\nNintendo will not grant rewards to people employed or formerly employed by:\n- Nintendo\n- Third parties engaged or formerly engaged in developing code and/or hardware for Nintendo\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2026-01-19T01:52:18.248Z"},{"id":3757291,"new_policy":"Nintendo’s goal is to provide a secure environment for our customers so that they can enjoy our games and services. In order to achieve this goal, Nintendo is interested in receiving vulnerability information that researchers may discover regarding Nintendo’s platforms.  Currently, in the context of the HackerOne program, Nintendo is only interested in vulnerability information regarding Nintendo Switch 2 / Nintendo Switch / Nintendo Switch Lite and is not seeking vulnerability information regarding other Nintendo platforms, network service, or server-related information.\n\nBelow are examples of types of activities that Nintendo is focused on preventing:\n* Piracy, including:\n       * Game application dumping\n       * Copied game application execution\n* Cheating, including:\n       * Game application modification\n       * Save data modification\n* Dissemination of inappropriate content to children\n\nBelow are examples of vulnerabilities that Nintendo is interested in receiving information about:\n* System vulnerabilities regarding Nintendo Switch 2 / Nintendo Switch / Nintendo Switch Lite\n       * Privilege escalation from userland\n       * Kernel takeover\n       * ARM® TrustZone® takeover\n* Vulnerabilities regarding Nintendo Switch 2 / Nintendo Switch application titles published by Nintendo in all countries and regions where they are sold\n       * Userland takeover\n- Low-cost cloning\n- Security key detection via information leaks\n\nNintendo reserves the right to choose whether it will address any reported vulnerabilities.\nARM and TrustZone are registered trademarks of ARM Limited (or its subsidiaries) in the EU and/or elsewhere. All rights reserved.\n\n# Rewards\n\nNintendo will pay rewards to the first reporter of qualifying vulnerability information ranging from $100 USD to $50,000 USD. Only one reward per qualifying piece of vulnerability information will be awarded.  Nintendo will determine at its discretion whether the vulnerability information qualifies for a reward as well as the amount of any such reward. Nintendo does not disclose how the reward amount is calculated. Vulnerability information that is already known to Nintendo or the public, for example, does not qualify for a reward.  Rewards will not be issued to individuals who are on sanction lists, or who are in countries on sanction lists.  \n\nThe reward amount depends on the importance of the information and the quality of the report. In general, the importance of the information is higher if the vulnerability is severe, easy-to-exploit, etc.\n\nA report is evaluated to be high quality if you show that the vulnerability is exploitable by providing a proof of concept (functional exploit code is even better). If you don’t yet have a proof of concept, or functional exploit code, we still encourage you to report to us sooner rather than later such that you do not to lose the opportunity to become the first reporter; you can then submit a proof of concept or functional exploit code later (within three (3) weeks of the initial report) and it will be considered to be a part of the report. \n\nThe reward will be paid after the reported vulnerability has been fixed by Nintendo, but no later than three (3) months after Nintendo has confirmed the reported vulnerability.\n\nNintendo will not disclose to the public the amount of any reward distributed by Nintendo.\n\n# Disclosure of vulnerability information\n\nBecause older system versions can continue to exploit vulnerabilities that have been reported to Nintendo by researchers and subsequently fixed by Nintendo, you agree that you shall not disclose vulnerability information reported to Nintendo to any other third party until granted permission to do so from Nintendo.\nUsually, we grant such permission within two to four weeks from the release of the fix that addresses the vulnerability.\n\n# Report template\n\nPlease include the details requested below when submitting vulnerability information to Nintendo. All such reports should be submitted in English.\n- State the name of the applicable platform (e.g., Nintendo Switch 2)\n- State the system version number(s) that the vulnerability applies to\n- Describe all of the steps required to reproduce the issue\n- Describe the details of what the vulnerability is and, if possible, potential ways to fix the vulnerability\n- Describe, if applicable, how individuals might be able to utilize the vulnerability information to impair the applicable system(s) and/or game(s) by showing a proof of concept or functional exploit code. You are allowed to submit a proof of concept or functional exploit code later (within three (3) weeks), after the initial submission of the report.\n- Confirm that the vulnerability is not widely known to the public.\n\n# Legal\n\nYou agree that you will not violate any law, or disrupt or compromise any data that is not your own in connection with reporting vulnerability information to Nintendo.  \nNintendo reserves all rights against any illegal use of the reported vulnerability information.\n\nNintendo reserves the right to modify the terms of this program at any time.  \n\nYou have no obligation to provide Nintendo with the abovementioned security and vulnerability information. However, you agree that by submitting such information to Nintendo, even if the information is not eligible for a reward, you grant Nintendo a worldwide, perpetual, irrevocable, non-exclusive, transferable, sublicenseable, fully-paid and royalty-free license under any and all intellectual property rights that you own or control to use, copy, modify, create derivative works based upon and otherwise exploit such information for any purpose.\n\nNintendo will not grant rewards to people employed or formerly employed by:\n- Nintendo\n- Third parties engaged or formerly engaged in developing code and/or hardware for Nintendo\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2025-06-11T06:01:37.889Z"},{"id":3685913,"new_policy":"Nintendo’s goal is to provide a secure environment for our customers so that they can enjoy our games and services. In order to achieve this goal, Nintendo is interested in receiving vulnerability information that researchers may discover regarding Nintendo’s platforms.  Currently, in the context of the HackerOne program, Nintendo is only interested in vulnerability information regarding the Nintendo Switch™ family of systems and is not seeking vulnerability information regarding other Nintendo platforms, network service, or server-related information.  \n\nBelow are examples of types of activities that Nintendo is focused on preventing:\n* Piracy, including:\n       * Game application dumping\n       * Copied game application execution\n* Cheating, including:\n       * Game application modification\n       * Save data modification\n* Dissemination of inappropriate content to children\n\nBelow are examples of vulnerabilities that Nintendo is interested in receiving information about:\n* System vulnerabilities regarding the Nintendo Switch family of systems\n       * Privilege escalation from userland\n       * Kernel takeover\n       * ARM® TrustZone® takeover\n* Vulnerabilities regarding Nintendo Switch applications for which Nintendo is the publisher worldwide\n       * Userland takeover\n- Low-cost cloning\n- Security key detection via information leaks\n\nNintendo reserves the right to choose whether it will address any reported vulnerabilities.\nARM and TrustZone are registered trademarks of ARM Limited (or its subsidiaries) in the EU and/or elsewhere. All rights reserved.\n\n# Rewards\n\nNintendo will pay rewards to the first reporter of qualifying vulnerability information ranging from $100 USD to $20,000 USD. Only one reward per qualifying piece of vulnerability information will be awarded.  Nintendo will determine at its discretion whether the vulnerability information qualifies for a reward as well as the amount of any such reward. Nintendo does not disclose how the reward amount is calculated. Vulnerability information that is already known to Nintendo or the public, for example, does not qualify for a reward.  Rewards will not be issued to individuals who are on sanction lists, or who are in countries on sanction lists.  \n\nThe reward amount depends on the importance of the information and the quality of the report. In general, the importance of the information is higher if the vulnerability is severe, easy-to-exploit, etc.\n\nA report is evaluated to be high quality if you show that the vulnerability is exploitable by providing a proof of concept (functional exploit code is even better). If you don’t yet have a proof of concept, or functional exploit code, we still encourage you to report to us sooner rather than later such that you do not to lose the opportunity to become the first reporter; you can then submit a proof of concept or functional exploit code later (within three (3) weeks of the initial report) and it will be considered to be a part of the report. \n\nThe reward will be paid after the reported vulnerability has been fixed by Nintendo, but no later than four (4) months after Nintendo has confirmed the reported vulnerability.\n\nNintendo will not disclose to the public the amount of any reward distributed by Nintendo.\n\n# Disclosure of vulnerability information\n\nBecause older system versions can continue to exploit vulnerabilities that have been reported to Nintendo by researchers and subsequently fixed by Nintendo, you agree that you shall not disclose vulnerability information reported to Nintendo to any other third party until granted permission to do so from Nintendo.\nUsually, we grant such permission within two to four weeks from the release of the fix that addresses the vulnerability.\n\n# Report template\n\nPlease include the details requested below when submitting vulnerability information to Nintendo. All such reports should be submitted in English.\n- State the name of the applicable platform (e.g., Nintendo Switch™)\n- State the system version number(s) that the vulnerability applies to\n- Describe all of the steps required to reproduce the issue\n- Describe the details of what the vulnerability is and, if possible, potential ways to fix the vulnerability\n- Describe, if applicable, how individuals might be able to utilize the vulnerability information to impair the applicable system(s) and/or game(s) by showing a proof of concept or functional exploit code. You are allowed to submit a proof of concept or functional exploit code later (within three (3) weeks), after the initial submission of the report.\n- Confirm that the vulnerability is not widely known to the public.\n\n# Legal\n\nYou agree that you will not violate any law, or disrupt or compromise any data that is not your own in connection with reporting vulnerability information to Nintendo.  \nNintendo reserves all rights against any illegal use of the reported vulnerability information.\n\nNintendo reserves the right to modify the terms of this program at any time.  \n\nYou have no obligation to provide Nintendo with the abovementioned security and vulnerability information. However, you agree that by submitting such information to Nintendo, even if the information is not eligible for a reward, you grant Nintendo a worldwide, perpetual, irrevocable, non-exclusive, transferable, sublicenseable, fully-paid and royalty-free license under any and all intellectual property rights that you own or control to use, copy, modify, create derivative works based upon and otherwise exploit such information for any purpose.\n\nNintendo will not grant rewards to people employed or formerly employed by:\n- Nintendo\n- Third parties engaged or formerly engaged in developing code and/or hardware for Nintendo\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2023-04-07T02:36:47.560Z"},{"id":3676313,"new_policy":"Nintendo’s goal is to provide a secure environment for our customers so that they can enjoy our games and services. In order to achieve this goal, Nintendo is interested in receiving vulnerability information that researchers may discover regarding Nintendo’s platforms.  Currently, in the context of the HackerOne program, Nintendo is only interested in vulnerability information regarding the Nintendo Switch™ family of systems and is not seeking vulnerability information regarding other Nintendo platforms, network service, or server-related information.  \n\nBelow are examples of types of activities that Nintendo is focused on preventing:\n* Piracy, including:\n       * Game application dumping\n       * Copied game application execution\n* Cheating, including:\n       * Game application modification\n       * Save data modification\n* Dissemination of inappropriate content to children\n\nBelow are examples of vulnerabilities that Nintendo is interested in receiving information about:\n* System vulnerabilities regarding the Nintendo Switch family of systems\n       * Privilege escalation from userland\n       * Kernel takeover\n       * ARM® TrustZone® takeover\n* Vulnerabilities regarding Nintendo Switch applications for which Nintendo is the publisher worldwide\n       * Userland takeover\n- Low-cost cloning\n- Security key detection via information leaks\n\nNintendo reserves the right to choose whether it will address any reported vulnerabilities.\nARM and TrustZone are registered trademarks of ARM Limited (or its subsidiaries) in the EU and/or elsewhere. All rights reserved.\n\n# Rewards\n\nNintendo will pay rewards to the first reporter of qualifying vulnerability information ranging from $100 USD to $20,000 USD. Only one reward per qualifying piece of vulnerability information will be awarded.  Nintendo will determine at its discretion whether the vulnerability information qualifies for a reward as well as the amount of any such reward. Nintendo does not disclose how the reward amount is calculated. Vulnerability information that is already known to Nintendo or the public, for example, does not qualify for a reward.  Rewards will not be issued to individuals who are on sanction lists, or who are in countries on sanction lists.  \n\nThe reward amount depends on the importance of the information and the quality of the report. In general, the importance of the information is higher if the vulnerability is severe, easy-to-exploit, etc.\n\nA report is evaluated to be high quality if you show that the vulnerability is exploitable by providing a proof of concept (functional exploit code is even better). If you don’t yet have a proof of concept, or functional exploit code, we still encourage you to report to us sooner rather than later such that you do not to lose the opportunity to become the first reporter; you can then submit a proof of concept or functional exploit code later (within three (3) weeks of the initial report) and it will be considered to be a part of the report. \n\nThe reward will be paid after the reported vulnerability has been fixed by Nintendo, but no later than four (4) months after Nintendo has confirmed the reported vulnerability.\n\nNintendo will not disclose to the public the amount of any reward distributed by Nintendo.\n\n# Disclosure of vulnerability information\n\nBecause older system versions can continue to exploit vulnerabilities that have been reported to Nintendo by researchers and subsequently fixed by Nintendo, you agree that you shall not disclose vulnerability information reported to Nintendo to any other third party until granted permission to do so from Nintendo.\nUsually, we grant such permission within two to four weeks from the release of the fix that addresses the vulnerability.\n\n# Report template\n\nPlease include the details requested below when submitting vulnerability information to Nintendo. All such reports should be submitted in English.\n- State the name of the applicable platform (e.g., Nintendo Switch™)\n- State the system version number(s) that the vulnerability applies to\n- Describe all of the steps required to reproduce the issue\n- Describe the details of what the vulnerability is and, if possible, potential ways to fix the vulnerability\n- Describe, if applicable, how individuals might be able to utilize the vulnerability information to impair the applicable system(s) and/or game(s) by showing a proof of concept or functional exploit code. You are allowed to submit a proof of concept or functional exploit code later (within three (3) weeks), after the initial submission of the report.\n- Confirm that the vulnerability is not widely known to the public.\n\n# Legal\n\nYou agree that you will not violate any law, or disrupt or compromise any data that is not your own in connection with reporting vulnerability information to Nintendo.  \nNintendo reserves all rights against any illegal use of the reported vulnerability information.\n\nNintendo reserves the right to modify the terms of this program at any time.  \n\nYou have no obligation to provide Nintendo with the abovementioned security and vulnerability information. However, you agree that by submitting such information to Nintendo, even if the information is not eligible for a reward, you grant Nintendo a worldwide, perpetual, irrevocable, non-exclusive, transferable, sublicenseable, fully-paid and royalty-free license under any and all intellectual property rights that you own or control to use, copy, modify, create derivative works based upon and otherwise exploit such information for any purpose.\n\nNintendo will not grant rewards to people who are/were employed by Nintendo or third parties that are/were engaged in developing code and/or hardware for Nintendo.\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2022-08-19T06:45:05.384Z"},{"id":3646620,"new_policy":"Nintendo’s goal is to provide a secure environment for our customers so that they can enjoy our games and services. In order to achieve this goal, Nintendo is interested in receiving vulnerability information that researchers may discover regarding Nintendo’s platforms.  Currently, in the context of the HackerOne program, Nintendo is only interested in vulnerability information regarding the Nintendo Switch™ family of systems and is not seeking vulnerability information regarding other Nintendo platforms, network service, or server-related information.  \n\nBelow are examples of types of activities that Nintendo is focused on preventing:\n* Piracy, including:\n       * Game application dumping\n       * Copied game application execution\n* Cheating, including:\n       * Game application modification\n       * Save data modification\n* Dissemination of inappropriate content to children\n\nBelow are examples of vulnerabilities that Nintendo is interested in receiving information about:\n* System vulnerabilities regarding the Nintendo Switch family of systems\n       * Privilege escalation from userland\n       * Kernel takeover\n       * ARM® TrustZone® takeover\n* Vulnerabilities regarding Nintendo-published applications for Nintendo Switch\n       * Userland takeover\n- Low-cost cloning\n- Security key detection via information leaks\n\nNintendo reserves the right to choose whether it will address any reported vulnerabilities.\nARM and TrustZone are registered trademarks of ARM Limited (or its subsidiaries) in the EU and/or elsewhere. All rights reserved.\n\n# Rewards\n\nNintendo will pay rewards to the first reporter of qualifying vulnerability information ranging from $100 USD to $20,000 USD. Only one reward per qualifying piece of vulnerability information will be awarded.  Nintendo will determine at its discretion whether the vulnerability information qualifies for a reward as well as the amount of any such reward. Nintendo does not disclose how the reward amount is calculated. Vulnerability information that is already known to Nintendo or the public, for example, does not qualify for a reward.  Rewards will not be issued to individuals who are on sanction lists, or who are in countries on sanction lists.  \n\nThe reward amount depends on the importance of the information and the quality of the report. In general, the importance of the information is higher if the vulnerability is severe, easy-to-exploit, etc.\n\nA report is evaluated to be high quality if you show that the vulnerability is exploitable by providing a proof of concept (functional exploit code is even better). If you don’t yet have a proof of concept, or functional exploit code, we still encourage you to report to us sooner rather than later such that you do not to lose the opportunity to become the first reporter; you can then submit a proof of concept or functional exploit code later (within three (3) weeks of the initial report) and it will be considered to be a part of the report. \n\nThe reward will be paid after the reported vulnerability has been fixed by Nintendo, but no later than four (4) months after Nintendo has confirmed the reported vulnerability.\n\nNintendo will not disclose to the public the amount of any reward distributed by Nintendo.\n\n# Disclosure of vulnerability information\n\nBecause older system versions can continue to exploit vulnerabilities that have been reported to Nintendo by researchers and subsequently fixed by Nintendo, you agree that you shall not disclose vulnerability information reported to Nintendo to any other third party until granted permission to do so from Nintendo.\nUsually, we grant such permission within two to four weeks from the release of the fix that addresses the vulnerability.\n\n# Report template\n\nPlease include the details requested below when submitting vulnerability information to Nintendo. All such reports should be submitted in English.\n- State the name of the applicable platform (e.g., Nintendo Switch™)\n- State the system version number(s) that the vulnerability applies to\n- Describe all of the steps required to reproduce the issue\n- Describe the details of what the vulnerability is and, if possible, potential ways to fix the vulnerability\n- Describe, if applicable, how individuals might be able to utilize the vulnerability information to impair the applicable system(s) and/or game(s) by showing a proof of concept or functional exploit code. You are allowed to submit a proof of concept or functional exploit code later (within three (3) weeks), after the initial submission of the report.\n- Confirm that the vulnerability is not widely known to the public.\n\n# Legal\n\nYou agree that you will not violate any law, or disrupt or compromise any data that is not your own in connection with reporting vulnerability information to Nintendo.  \nNintendo reserves all rights against any illegal use of the reported vulnerability information.\n\nNintendo reserves the right to modify the terms of this program at any time.  \n\nYou have no obligation to provide Nintendo with the abovementioned security and vulnerability information. However, you agree that by submitting such information to Nintendo, even if the information is not eligible for a reward, you grant Nintendo a worldwide, perpetual, irrevocable, non-exclusive, transferable, sublicenseable, fully-paid and royalty-free license under any and all intellectual property rights that you own or control to use, copy, modify, create derivative works based upon and otherwise exploit such information for any purpose.\n\nNintendo will not grant rewards to people who are/were employed by Nintendo or third parties that are/were engaged in developing code and/or hardware for Nintendo.\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2020-12-09T05:49:56.806Z"},{"id":3639042,"new_policy":"Nintendo’s goal is to provide a secure environment for our customers so that they can enjoy our games and services. In order to achieve this goal, Nintendo is interested in receiving vulnerability information that researchers may discover regarding Nintendo’s platforms.  Currently, in the context of the HackerOne program, Nintendo is only interested in vulnerability information regarding the Nintendo Switch™ family of systems and is not seeking vulnerability information regarding other Nintendo platforms, network service, or server-related information.  \n\nBelow are examples of types of activities that Nintendo is focused on preventing:\n* Piracy, including:\n       * Game application dumping\n       * Copied game application execution\n* Cheating, including:\n       * Game application modification\n       * Save data modification\n* Dissemination of inappropriate content to children\n\nBelow are examples of vulnerabilities that Nintendo is interested in receiving information about:\n* System vulnerabilities regarding the Nintendo Switch family of systems\n       * Privilege escalation from userland\n       * Kernel takeover\n       * ARM® TrustZone® takeover\n* Vulnerabilities regarding Nintendo-published applications for Nintendo Switch\n       * Userland takeover\n- Low-cost cloning\n- Security key detection via information leaks\n\nNintendo reserves the right to choose whether it will address any reported vulnerabilities.\nARM and TrustZone are registered trademarks of ARM Limited (or its subsidiaries) in the EU and/or elsewhere. All rights reserved.\n\n# Rewards\n\nNintendo will pay rewards to the first reporter of qualifying vulnerability information ranging from $100 USD to $20,000 USD. Only one reward per qualifying piece of vulnerability information will be awarded.  Nintendo will determine at its discretion whether the vulnerability information qualifies for a reward as well as the amount of any such reward. Nintendo does not disclose how the reward amount is calculated. Vulnerability information that is already known to Nintendo or the public, for example, does not qualify for a reward.  Rewards will not be issued to individuals who are on sanction lists, or who are in countries on sanction lists.  \n\nThe reward amount depends on the importance of the information and the quality of the report. In general, the importance of the information is higher if the vulnerability is severe, easy-to-exploit, etc.\n\nA report is evaluated to be high quality if you show that the vulnerability is exploitable by providing a proof of concept (functional exploit code is even better). If you don’t yet have a proof of concept, or functional exploit code, we still encourage you to report to us sooner rather than later such that you do not to lose the opportunity to become the first reporter; you can then submit a proof of concept or functional exploit code later (within three (3) weeks of the initial report) and it will be considered to be a part of the report. \n\nThe reward will be paid after the reported vulnerability has been fixed by Nintendo, but no later than four (4) months after Nintendo has confirmed the reported vulnerability.\n\nNintendo will not disclose to the public the amount of any reward distributed by Nintendo.\n\n# Disclosure of vulnerability information\n\nBecause older system versions can continue to exploit vulnerabilities that have been reported to Nintendo by researchers and subsequently fixed by Nintendo, you agree that you shall not disclose vulnerability information reported to Nintendo to any other third party until granted permission to do so from Nintendo.\nUsually, we grant such permission within two to four weeks from the release of the fix that addresses the vulnerability.\n\n# Report template\n\nPlease include the details requested below when submitting vulnerability information to Nintendo. All such reports should be submitted in English.\n- State the name of the applicable platform (e.g., Nintendo Switch™)\n- State the system version number(s) that the vulnerability applies to\n- Describe all of the steps required to reproduce the issue\n- Describe the details of what the vulnerability is and, if possible, potential ways to fix the vulnerability\n- Describe, if applicable, how individuals might be able to utilize the vulnerability information to impair the applicable system(s) and/or game(s) by showing a proof of concept or functional exploit code. You are allowed to submit a proof of concept or functional exploit code later (within three (3) weeks), after the initial submission of the report.\n- Confirm that the vulnerability is not widely known to the public.\n\n# Legal\n\nYou agree that you will not violate any law, or disrupt or compromise any data that is not your own in connection with reporting vulnerability information to Nintendo.  \n\nNintendo reserves the right to modify the terms of this program at any time.  \n\nYou have no obligation to provide Nintendo with the abovementioned security and vulnerability information. However, you agree that by submitting such information to Nintendo, even if the information is not eligible for a reward, you grant Nintendo a worldwide, perpetual, irrevocable, non-exclusive, transferable, sublicenseable, fully-paid and royalty-free license under any and all intellectual property rights that you own or control to use, copy, modify, create derivative works based upon and otherwise exploit such information for any purpose.\n\nNintendo will not grant rewards to people who are/were employed by Nintendo or third parties that are/were engaged in developing code and/or hardware for Nintendo.\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2020-07-01T06:42:00.419Z"},{"id":3567903,"new_policy":"Nintendo’s goal is to provide a secure environment for our customers so that they can enjoy our games and services. In order to achieve this goal, Nintendo is interested in receiving vulnerability information that researchers may discover regarding Nintendo’s platforms.  Currently, in the context of the HackerOne program, Nintendo is only interested in vulnerability information regarding the Nintendo Switch™ system and the Nintendo 3DS™ family of systems and is not seeking vulnerability information regarding other Nintendo platforms, network service, or server-related information.  \n\nBelow are examples of types of activities that Nintendo is focused on preventing:\n* Piracy, including:\n       * Game application dumping\n       * Copied game application execution\n* Cheating, including:\n       * Game application modification\n       * Save data modification\n* Dissemination of inappropriate content to children\n\nBelow are examples of vulnerabilities that Nintendo is interested in receiving information about:\n* System vulnerabilities regarding Nintendo Switch\n       * Privilege escalation from userland\n       * Kernel takeover\n       * ARM® TrustZone® takeover\n* Vulnerabilities regarding Nintendo-published applications for Nintendo Switch\n       * Userland takeover\n* System vulnerabilities regarding the Nintendo 3DS family of systems\n - Privilege escalation on ARM® ARM11™ userland\n - ARM11 kernel takeover\n - ARM® ARM9™ userland takeover\n - ARM9 kernel takeover\n- Vulnerabilities regarding Nintendo-published applications for the Nintendo 3DS family of systems\n - ARM11 userland takeover that doesn't require other hacks or tools (\"secondary\" exploits would be those that require other hacks or tools to be effective; those would be out of scope for this program) \n - Hardware vulnerabilities regarding either the Nintendo Switch system or the Nintendo 3DS™ family of systems\n- Low-cost cloning\n- Security key detection via information leaks\n\nNintendo reserves the right to choose whether or not it will address any reported vulnerabilities.\nARM and TrustZone are registered trademarks of ARM Limited (or its subsidiaries) in the EU and/or elsewhere. ARM9 and ARM11 are trademarks of ARM Limited (or its subsidiaries) in the EU and/or elsewhere. All rights reserved.\n\n# Rewards\n\nNintendo will pay rewards to the first reporter of qualifying vulnerability information ranging from $100 USD to $20,000 USD. Only one reward per qualifying piece of vulnerability information will be awarded.  Nintendo will determine at its discretion whether the vulnerability information qualifies for a reward as well as the amount of any such reward. Nintendo does not disclose how the reward amount is calculated. Vulnerability information that is already known to Nintendo or the public, for example, does not qualify for a reward.  Rewards will not be issued to individuals who are on sanction lists, or who are in countries on sanction lists.  \n\nThe reward amount depends on the importance of the information and the quality of the report. In general, the importance of the information is higher if the vulnerability is severe, easy-to-exploit, etc.\n\nA report is evaluated to be high quality if you show that the vulnerability is exploitable by providing a proof of concept (functional exploit code is even better). If you don’t yet have a proof of concept, or functional exploit code, we still encourage you to report to us sooner rather than later such that you do not to lose the opportunity to become the first reporter; you can then submit a proof of concept or functional exploit code later (within three (3) weeks of the initial report) and it will be considered to be a part of the report. \n\nThe reward will be paid after the reported vulnerability has been fixed by Nintendo, but no later than four (4) months after Nintendo has confirmed the reported vulnerability.\n\nNintendo will not disclose to the public the amount of any reward distributed by Nintendo.\n\n# Disclosure of vulnerability information\n\nBecause older system versions can continue to exploit vulnerabilities that have been reported to Nintendo by researchers and subsequently fixed by Nintendo, you agree that you shall not disclose vulnerability information reported to Nintendo to any other third party until granted permission to do so from Nintendo.\nUsually, we grant such permission within two to four weeks from the release of the fix that addresses the vulnerability.\n\n# Report template\n\nPlease include the details requested below when submitting vulnerability information to Nintendo. All such reports should be submitted in English.\n- State the name of the applicable platform (e.g., Nintendo Switch, Nintendo 3DS, or New Nintendo 3DS)\n- State the region you used (e.g., JP, US, or EU) if the platform is Nintendo 3DS or New Nintendo 3DS\n- State the system version number(s) that the vulnerability applies to\n- Describe all of the steps required to reproduce the issue\n- Describe the details of what the vulnerability is and, if possible, potential ways to fix the vulnerability\n- Describe, if applicable, how individuals might be able to utilize the vulnerability information to impair the applicable system(s) and/or game(s) by showing a proof of concept or functional exploit code. You are allowed to submit a proof of concept or functional exploit code later (within three (3) weeks), after the initial submission of the report.\n- Confirm that the vulnerability is not widely known to the public.\n\n# Legal\n\nYou agree that you will not violate any law, or disrupt or compromise any data that is not your own in connection with reporting vulnerability information to Nintendo.  \n\nNintendo reserves the right to modify the terms of this program at any time.  \n\nYou have no obligation to provide Nintendo with the abovementioned security and vulnerability information. However, you agree that by submitting such information to Nintendo, even if the information is not eligible for a reward, you grant Nintendo a worldwide, perpetual, irrevocable, non-exclusive, transferable, sublicenseable, fully-paid and royalty-free license under any and all intellectual property rights that you own or control to use, copy, modify, create derivative works based upon and otherwise exploit such information for any purpose.\n\nNintendo will not grant rewards to people who are/were employed by Nintendo or third parties that are/were engaged in developing code and/or hardware for Nintendo.\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2018-01-31T09:25:19.582Z"},{"id":3548077,"new_policy":"Nintendo’s goal is to provide a secure environment for our customers so that they can enjoy our games and services. In order to achieve this goal, Nintendo is interested in receiving vulnerability information that researchers may discover regarding Nintendo’s platforms.  Currently, in the context of the HackerOne program, Nintendo is only interested in vulnerability information regarding the Nintendo Switch™ system and the Nintendo 3DS™ family of systems and is not seeking vulnerability information regarding other Nintendo platforms, network service, or server-related information.  \n\nBelow are examples of types of activities that Nintendo is focused on preventing:\n* Piracy, including:\n       * Game application dumping\n       * Copied game application execution\n* Cheating, including:\n       * Game application modification\n       * Save data modification\n* Dissemination of inappropriate content to children\n\nBelow are examples of vulnerabilities that Nintendo is interested in receiving information about:\n* System vulnerabilities regarding Nintendo Switch\n       * Privilege escalation from userland\n       * Kernel takeover\n       * ARM® TrustZone® takeover\n* Vulnerabilities regarding Nintendo-published applications for Nintendo Switch\n       * Userland takeover\n* System vulnerabilities regarding the Nintendo 3DS family of systems\n - Privilege escalation on ARM® ARM11™ userland\n - ARM11 kernel takeover\n - ARM® ARM9™ userland takeover\n - ARM9 kernel takeover\n- Vulnerabilities regarding Nintendo-published applications for the Nintendo 3DS family of systems\n - ARM11 userland takeover that doesn't require other hacks or tools (\"secondary\" exploits would be those that require other hacks or tools to be effective; those would be out of scope for this program) \n - Hardware vulnerabilities regarding either the Nintendo Switch system or the Nintendo 3DS™ family of systems\n- Low-cost cloning\n- Security key detection via information leaks\n\nNintendo reserves the right to choose whether or not it will address any reported vulnerabilities.\nARM and TrustZone are registered trademarks of ARM Limited (or its subsidiaries) in the EU and/or elsewhere. ARM9 and ARM11 are trademarks of ARM Limited (or its subsidiaries) in the EU and/or elsewhere. All rights reserved.\n\n# Rewards\n\nNintendo will pay rewards to the first reporter of qualifying vulnerability information ranging from $100 USD to $20,000 USD. Only one reward per qualifying piece of vulnerability information will be awarded.  Nintendo will determine at its discretion whether the vulnerability information qualifies for a reward as well as the amount of any such reward. Nintendo does not disclose how the reward amount is calculated. Vulnerability information that is already known to Nintendo or the public, for example, does not qualify for a reward.  Rewards will not be issued to individuals who are on sanction lists, or who are in countries on sanction lists.  \n\nThe reward amount depends on the importance of the information and the quality of the report. In general, the importance of the information is higher if the vulnerability is severe, easy-to-exploit, etc.\n\nA report is evaluated to be high quality if you show that the vulnerability is exploitable by providing a proof of concept (functional exploit code is even better). If you don’t yet have a proof of concept, or functional exploit code, we still encourage you to report to us sooner rather than later such that you do not to lose the opportunity to become the first reporter; you can then submit a proof of concept or functional exploit code later (within three (3) weeks of the initial report) and it will be considered to be a part of the report. \n\nThe reward will be paid after the reported vulnerability has been fixed by Nintendo, but no later than four (4) months after Nintendo has confirmed the reported vulnerability.\n\nNintendo will not disclose to the public the amount of any reward distributed by Nintendo.\n\n# Disclosure of vulnerability information\n\nBecause older system versions can continue to exploit vulnerabilities that have been reported to Nintendo by researchers and subsequently fixed by Nintendo, you agree that you shall not disclose vulnerability information reported to Nintendo to any other third party.\n\n# Report template\n\nPlease include the details requested below when submitting vulnerability information to Nintendo. All such reports should be submitted in English.\n- State the name of the applicable platform (e.g., Nintendo Switch, Nintendo 3DS, or New Nintendo 3DS)\n- State the region you used (e.g., JP, US, or EU) if the platform is Nintendo 3DS or New Nintendo 3DS\n- State the system version number(s) that the vulnerability applies to\n- Describe all of the steps required to reproduce the issue\n- Describe the details of what the vulnerability is and, if possible, potential ways to fix the vulnerability\n- Describe, if applicable, how individuals might be able to utilize the vulnerability information to impair the applicable system(s) and/or game(s) by showing a proof of concept or functional exploit code. You are allowed to submit a proof of concept or functional exploit code later (within three (3) weeks), after the initial submission of the report.\n- Confirm that the vulnerability is not widely known to the public.\n\n# Legal\n\nYou agree that you will not violate any law, or disrupt or compromise any data that is not your own in connection with reporting vulnerability information to Nintendo.  \n\nNintendo reserves the right to modify the terms of this program at any time.  \n\nYou have no obligation to provide Nintendo with the abovementioned security and vulnerability information. However, you agree that by submitting such information to Nintendo, even if the information is not eligible for a reward, you grant Nintendo a worldwide, perpetual, irrevocable, non-exclusive, transferable, sublicenseable, fully-paid and royalty-free license under any and all intellectual property rights that you own or control to use, copy, modify, create derivative works based upon and otherwise exploit such information for any purpose.\n\nNintendo will not grant rewards to people who are/were employed by Nintendo or third parties that are/were engaged in developing code and/or hardware for Nintendo.\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2017-03-03T02:17:08.441Z"},{"id":3548075,"new_policy":"Nintendo’s goal is to provide a secure environment for our customers so that they can enjoy our games and services. In order to achieve this goal, Nintendo is interested in receiving vulnerability information that researchers may discover regarding Nintendo’s platforms.  Currently, in the context of the HackerOne program, Nintendo is only interested in vulnerability information regarding the Nintendo Switch™ system and the Nintendo 3DS™ family of systems and is not seeking vulnerability information regarding other Nintendo platforms, network service, or server-related information.  \n\nBelow are examples of types of activities that Nintendo is focused on preventing:\n* Piracy, including:\n       * Game application dumping\n       * Copied game application execution\n* Cheating, including:\n       * Game application modification\n       * Save data modification\n* Dissemination of inappropriate content to children\n\nBelow are examples of vulnerabilities that Nintendo is interested in receiving information about:\n* System vulnerabilities regarding Nintendo Switch\n       * Privilege escalation from userland\n       * Kernel takeover\n       * ARM® TrustZone® takeover\n* Vulnerabilities regarding Nintendo-published applications for Nintendo Switch\n       * Userland takeover\n* System vulnerabilities regarding the Nintendo 3DS™ family of systems\n - Privilege escalation on ARM® ARM11™ userland\n - ARM11 kernel takeover\n - ARM® ARM9™ userland takeover\n - ARM9 kernel takeover\n- Vulnerabilities regarding Nintendo-published applications for the Nintendo 3DS™ family of systems\n - ARM11 userland takeover that doesn't require other hacks or tools (\"secondary\" exploits would be those that require other hacks or tools to be effective; those would be out of scope for this program) \n - Hardware vulnerabilities regarding either the Nintendo Switch system or the Nintendo 3DS™ family of systems\n- Low-cost cloning\n- Security key detection via information leaks\n\nNintendo reserves the right to choose whether or not it will address any reported vulnerabilities.\nARM and TrustZone are registered trademarks of ARM Limited (or its subsidiaries) in the EU and/or elsewhere. ARM9 and ARM11 are trademarks of ARM Limited (or its subsidiaries) in the EU and/or elsewhere. All rights reserved.\n\n# Rewards\n\nNintendo will pay rewards to the first reporter of qualifying vulnerability information ranging from $100 USD to $20,000 USD. Only one reward per qualifying piece of vulnerability information will be awarded.  Nintendo will determine at its discretion whether the vulnerability information qualifies for a reward as well as the amount of any such reward. Nintendo does not disclose how the reward amount is calculated. Vulnerability information that is already known to Nintendo or the public, for example, does not qualify for a reward.  Rewards will not be issued to individuals who are on sanction lists, or who are in countries on sanction lists.  \n\nThe reward amount depends on the importance of the information and the quality of the report. In general, the importance of the information is higher if the vulnerability is severe, easy-to-exploit, etc.\n\nA report is evaluated to be high quality if you show that the vulnerability is exploitable by providing a proof of concept (functional exploit code is even better). If you don’t yet have a proof of concept, or functional exploit code, we still encourage you to report to us sooner rather than later such that you do not to lose the opportunity to become the first reporter; you can then submit a proof of concept or functional exploit code later (within three (3) weeks of the initial report) and it will be considered to be a part of the report. \n\nThe reward will be paid after the reported vulnerability has been fixed by Nintendo, but no later than four (4) months after Nintendo has confirmed the reported vulnerability.\n\nNintendo will not disclose to the public the amount of any reward distributed by Nintendo.\n\n# Disclosure of vulnerability information\n\nBecause older system versions can continue to exploit vulnerabilities that have been reported to Nintendo by researchers and subsequently fixed by Nintendo, you agree that you shall not disclose vulnerability information reported to Nintendo to any other third party.\n\n# Report template\n\nPlease include the details requested below when submitting vulnerability information to Nintendo. All such reports should be submitted in English.\n- State the name of the applicable platform (e.g., Nintendo Switch, Nintendo 3DS, or New Nintendo 3DS)\n- State the region you used (e.g., JP, US, or EU) if the platform is Nintendo 3DS or New Nintendo 3DS\n- State the system version number(s) that the vulnerability applies to\n- Describe all of the steps required to reproduce the issue\n- Describe the details of what the vulnerability is and, if possible, potential ways to fix the vulnerability\n- Describe, if applicable, how individuals might be able to utilize the vulnerability information to impair the applicable system(s) and/or game(s) by showing a proof of concept or functional exploit code. You are allowed to submit a proof of concept or functional exploit code later (within three (3) weeks), after the initial submission of the report.\n- Confirm that the vulnerability is not widely known to the public.\n\n# Legal\n\nYou agree that you will not violate any law, or disrupt or compromise any data that is not your own in connection with reporting vulnerability information to Nintendo.  \n\nNintendo reserves the right to modify the terms of this program at any time.  \n\nYou have no obligation to provide Nintendo with the abovementioned security and vulnerability information. However, you agree that by submitting such information to Nintendo, even if the information is not eligible for a reward, you grant Nintendo a worldwide, perpetual, irrevocable, non-exclusive, transferable, sublicenseable, fully-paid and royalty-free license under any and all intellectual property rights that you own or control to use, copy, modify, create derivative works based upon and otherwise exploit such information for any purpose.\n\nNintendo will not grant rewards to people who are/were employed by Nintendo or third parties that are/were engaged in developing code and/or hardware for Nintendo.\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2017-03-03T01:42:51.573Z"},{"id":3548074,"new_policy":"Nintendo’s goal is to provide a secure environment for our customers so that they can enjoy our games and services. In order to achieve this goal, Nintendo is interested in receiving vulnerability information that researchers may discover regarding Nintendo’s platforms.  Currently, in the context of the HackerOne program, Nintendo is only interested in vulnerability information regarding the Nintendo Switch™ system and the Nintendo 3DS™ family of systems and is not seeking vulnerability information regarding other Nintendo platforms, network service, or server-related information.  \n\nBelow are examples of types of activities that Nintendo is focused on preventing:\n* Piracy, including:\n       * Game application dumping\n       * Copied game application execution\n* Cheating, including:\n       * Game application modification\n       * Save data modification\n* Dissemination of inappropriate content to children\n\nBelow are examples of vulnerabilities that Nintendo is interested in receiving information about:\n* System vulnerabilities regarding Nintendo Switch\n       * Privilege escalation from userland\n       * Kernel takeover\n       * ARM® TrustZone® takeover\n* Vulnerabilities regarding Nintendo-published applications for Nintendo Switch\n       * Userland takeover\n\n* System vulnerabilities regarding the Nintendo 3DS™ family of systems\n - Privilege escalation on ARM® ARM11™ userland\n - ARM11 kernel takeover\n - ARM® ARM9™ userland takeover\n - ARM9 kernel takeover\n\n- Vulnerabilities regarding Nintendo-published applications for the Nintendo 3DS™ family of systems\n - ARM11 userland takeover that doesn't require other hacks or tools (\"secondary\" exploits would be those that require other hacks or tools to be effective; those would be out of scope for this program) \n - Hardware vulnerabilities regarding either the Nintendo Switch system or the Nintendo 3DS™ family of systems\n- Low-cost cloning\n- Security key detection via information leaks\n\nNintendo reserves the right to choose whether or not it will address any reported vulnerabilities.\nARM and TrustZone are registered trademarks of ARM Limited (or its subsidiaries) in the EU and/or elsewhere. ARM9 and ARM11 are trademarks of ARM Limited (or its subsidiaries) in the EU and/or elsewhere. All rights reserved.\n\n# Rewards\n\nNintendo will pay rewards to the first reporter of qualifying vulnerability information ranging from $100 USD to $20,000 USD. Only one reward per qualifying piece of vulnerability information will be awarded.  Nintendo will determine at its discretion whether the vulnerability information qualifies for a reward as well as the amount of any such reward. Nintendo does not disclose how the reward amount is calculated. Vulnerability information that is already known to Nintendo or the public, for example, does not qualify for a reward.  Rewards will not be issued to individuals who are on sanction lists, or who are in countries on sanction lists.  \n\nThe reward amount depends on the importance of the information and the quality of the report. In general, the importance of the information is higher if the vulnerability is severe, easy-to-exploit, etc.\n\nA report is evaluated to be high quality if you show that the vulnerability is exploitable by providing a proof of concept (functional exploit code is even better). If you don’t yet have a proof of concept, or functional exploit code, we still encourage you to report to us sooner rather than later such that you do not to lose the opportunity to become the first reporter; you can then submit a proof of concept or functional exploit code later (within three (3) weeks of the initial report) and it will be considered to be a part of the report. \n\nThe reward will be paid after the reported vulnerability has been fixed by Nintendo, but no later than four (4) months after Nintendo has confirmed the reported vulnerability.\n\nNintendo will not disclose to the public the amount of any reward distributed by Nintendo.\n\n# Disclosure of vulnerability information\n\nBecause older system versions can continue to exploit vulnerabilities that have been reported to Nintendo by researchers and subsequently fixed by Nintendo, you agree that you shall not disclose vulnerability information reported to Nintendo to any other third party.\n\n# Report template\n\nPlease include the details requested below when submitting vulnerability information to Nintendo. All such reports should be submitted in English.\n- State the name of the applicable platform (e.g., Nintendo Switch, Nintendo 3DS, or New Nintendo 3DS)\n- State the region you used (e.g., JP, US, or EU) if the platform is Nintendo 3DS or New Nintendo 3DS\n- State the system version number(s) that the vulnerability applies to\n- Describe all of the steps required to reproduce the issue\n- Describe the details of what the vulnerability is and, if possible, potential ways to fix the vulnerability\n- Describe, if applicable, how individuals might be able to utilize the vulnerability information to impair the applicable system(s) and/or game(s) by showing a proof of concept or functional exploit code. You are allowed to submit a proof of concept or functional exploit code later (within three (3) weeks), after the initial submission of the report.\n- Confirm that the vulnerability is not widely known to the public.\n\n# Legal\n\nYou agree that you will not violate any law, or disrupt or compromise any data that is not your own in connection with reporting vulnerability information to Nintendo.  \n\nNintendo reserves the right to modify the terms of this program at any time.  \n\nYou have no obligation to provide Nintendo with the abovementioned security and vulnerability information. However, you agree that by submitting such information to Nintendo, even if the information is not eligible for a reward, you grant Nintendo a worldwide, perpetual, irrevocable, non-exclusive, transferable, sublicenseable, fully-paid and royalty-free license under any and all intellectual property rights that you own or control to use, copy, modify, create derivative works based upon and otherwise exploit such information for any purpose.\n\nNintendo will not grant rewards to people who are/were employed by Nintendo or third parties that are/were engaged in developing code and/or hardware for Nintendo.\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2017-03-03T01:06:31.603Z"},{"id":3542777,"new_policy":"Nintendo’s goal is to provide a secure environment for our customers so that they can enjoy our games and services. In order to achieve this goal, Nintendo is interested in receiving vulnerability information that researchers may discover regarding Nintendo’s platforms.  Currently, in the context of the HackerOne program, Nintendo is only interested in vulnerability information regarding the Nintendo 3DS™ family of systems and is not seeking vulnerability information regarding other Nintendo platforms, network service, or server-related information.  \n\nBelow are examples of types of activities that Nintendo is focused on preventing:\n* Piracy, including:\n       * Game application dumping\n       * Copied game application execution\n* Cheating, including:\n       * Game application modification\n       * Save data modification\n* Dissemination of inappropriate content to children\n\nBelow are examples of vulnerabilities that Nintendo is interested in receiving information about:\n* System vulnerabilities regarding the Nintendo 3DS™ family of systems\n       * Privilege escalation on ARM11 userland\n       * ARM11 kernel takeover\n       * ARM9 userland takeover\n       * ARM9 kernel takeover\n* Vulnerabilities regarding Nintendo-published applications for the Nintendo 3DS™ family of systems\n       * ARM11 userland takeover\n* Hardware vulnerabilities regarding the Nintendo 3DS™ family of systems\n       * Low-cost cloning\n       * Security key detection via information leaks\n\nNintendo reserves the right to choose whether or not it will address any reported vulnerabilities.  \n\n# Rewards\n\nNintendo will pay rewards to the first reporter of qualifying vulnerability information ranging from $100 USD to $20,000 USD. Only one reward per qualifying piece of vulnerability information will be awarded.  Nintendo will determine at its discretion whether the vulnerability information qualifies for a reward as well as the amount of any such reward. Nintendo does not disclose how the reward amount is calculated. Vulnerability information that is already known to Nintendo or the public, for example, does not qualify for a reward.  Rewards will not be issued to individuals who are on sanction lists, or who are in countries on sanction lists.  \n\nThe reward amount depends on the importance of the information and the quality of the report. In general, the importance of the information is higher if the vulnerability is severe, easy-to-exploit, etc.\n\nA report is evaluated to be high quality if you show that the vulnerability is exploitable by providing a proof of concept (functional exploit code is even better). If you don’t yet have a proof of concept, or functional exploit code, we still encourage you to report to us sooner rather than later such that you do not to lose the opportunity to become the first reporter; you can then submit a proof of concept or functional exploit code later (within three (3) weeks of the initial report) and it will be considered to be a part of the report. \n\nThe reward will be paid after the reported vulnerability has been fixed by Nintendo, but no later than four (4) months after Nintendo has confirmed the reported vulnerability.\n\nNintendo will not disclose to the public the amount of any reward distributed by Nintendo.\n\n# Disclosure of vulnerability information\n\nBecause older system versions can continue to exploit vulnerabilities that have been reported to Nintendo by researchers and subsequently fixed by Nintendo, you agree that you shall not disclose vulnerability information reported to Nintendo to any other third party.\n\n# Report template\n\nPlease include the details requested in below when submitting vulnerability information to Nintendo.  All such reports should be submitted in English.\n- State the name of the applicable platform (e.g., Nintendo 3DS™, New Nintendo 3DS™, or both)\n- State the region of the platform you used (e.g., JP, US, or EU)\n- State the system version number(s) that the vulnerability applies to\n- Describe all of the steps required to reproduce the issue\n- Describe the details of what the vulnerability is and, if possible, potential ways to fix the vulnerability\n- Describe, if applicable, how individuals might be able to utilize the vulnerability information to impair the applicable system(s) and/or game(s) by showing a proof of concept or functional exploit code. You are allowed to submit a proof of concept or functional exploit code later (within three (3) weeks), after the initial submission of the report.\n- Confirm that the vulnerability is not widely known to the public.\n\n# Legal\n\nYou agree that you will not violate any law, or disrupt or compromise any data that is not your own in connection with reporting vulnerability information to Nintendo.  \n\nNintendo reserves the right to modify the terms of this program at any time.  \n\nYou have no obligation to provide Nintendo with the abovementioned security and vulnerability information. However, you agree that by submitting such information to Nintendo, even if the information is not eligible for a reward, you grant Nintendo a worldwide, perpetual, irrevocable, non-exclusive, transferable, sublicenseable, fully-paid and royalty-free license under any and all intellectual property rights that you own or control to use, copy, modify, create derivative works based upon and otherwise exploit such information for any purpose.\n\nNintendo will not grant rewards to people who are/were employed by Nintendo or third parties that are/were engaged in developing code and/or hardware for Nintendo. \n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2016-12-06T00:17:04.690Z"}]