1/11/21 22:09 Nintendo Server Bug Bounty Program - Bug Bounty Program | HackerOne

You are viewing a private program. It's only visible to invited hackers. Please do not discuss the program publicly yet.

Bug Bounty Program

Nintendo Server Bug Bounty Program Submit report
Launched on Sep 2019

http://nintendo.com Managed by HackerOne

Bounty splitting enabled
Reports resolved Assets in scope Average bounty
214 38 - Bookmark Subscribe

Policy Hacktivity Thanks Updates (8) Collaborators

Policy Response Efficiency

Nintendo’s goal is to provide a secure environment for our customers so that they can enjoy our games 3 days
and services. In order to achieve this goal, Nintendo is interested in receiving server and website-related Average time to triage
vulnerability information that researchers may discover that are (i) listed under the In Scope heading at the
bottom of this page and (ii) not listed under the Out of Scope or Exclusion headings below. 93% of reports
To report console-related vulnerability information, please review Nintendo’s Console Bug Bounty Meet response standards
Based on last 90 days
Program.

Nintendo reserves the right to choose whether or not it will address any reported vulnerabilities. Nintendo
Program Statistics
will aim to respond to new reports of vulnerability information within five (5) business days of first Updated Daily
receiving the report and, if applicable, triage such vulnerability information within ten (10) business days of
first receiving the report. 170
Reports received in the last 90 days
Exclusions
https://hackerone.com/nintendo-server?type=team 1/9
1/11/21 22:09 Nintendo Server Bug Bounty Program - Bug Bounty Program | HackerOne

To ensure the availability of our services to our users, we ask that you please refrain from conducting the 10 days ago
activities listed below, which are not acceptable submissions under Nintendo’s Server Bug Bounty Last report resolved
Program:
214
DDOS, DOS, Brute-force attacks or activity that could lead to disruption of our services
Reports resolved
Leverage black hat SEO techniques
Spamming
226
Using any testing tools that automatically generate very significant volumes of traffic
Hackers thanked
Social engineering (including phishing) of Nintendo staff or contractors
Any physical attempts against Nintendo property or data centers
Reporting Clickjacking on pages with no sensitive actions
Reporting Unauthenticated/login/logout CSRF Top hackers
Reporting attacks requiring MITM or physical access to a user's device
fqdn
Reporting Reflected XSS or Host Header injection without POC demonstrating exploit Reputation:1055
Reporting lack of security-related headers (content-security-policy, public-key-pins, x-xss-protection,
x-content-type-options, x-frame-options, etc.) without POC demonstrating exploit cmd-0_0
Reporting 0-day exploits without reasonable time to patch Reputation:902

Reporting Autocomplete enabled, missing best practices in SSL/TLS, missing HSTS, lack of HTTPOnly
rz01
or Secure flags on non-session cookies, or DNSSEC configuration. Reputation:733
Reporting user enumeration attacks
Reporting password re-use attacks 0xd0m7
Reporting Content spoofing and text injection without showing an attack vector Reputation:353

Reporting Open Redirects

eboda
Reporting Tab Nabbing Reputation:342

Rewards All Hackers

Nintendo will pay a reward to the first reporter of qualifying vulnerability information per the Policy set
forth above. Changed your mind? No
Nintendo will evaluate reports on any Nintendo asset (“Responsible Disclosure Reports”), however only worries, leave now and fill out
reports on in-scope assets will are eligible for bounty.
https://hackerone.com/nintendo-server?type=team 2/9
1/11/21 22:09 Nintendo Server Bug Bounty Program - Bug Bounty Program | HackerOne

Nintendo may award a discretionary bounty on Critical “Responsible Disclosure Reports” that aren’t your feedback for an invitation
specifically out of scope. The report must have a final CVSS severity rating between 9.0-10.0 to qualify, to another program!
and will only be awarded to the first reporter. All other Responsible Disclosure Reports are not eligible Leave Program
for a reward.
Vulnerability information that is already known to Nintendo or the public, for example, does not
qualify for a reward.
Nintendo uses CVSS version 3.0 (see chart below) to score vulnerabilities and the CVSS score
determines the qualifying reward with a maximum of $5,000 for a CVSS score of 10.0.
Rewards will not be issued to individuals who are on sanction lists, or who are in countries on sanction
lists.
Publicly disclosing vulnerability information without Nintendo’s permission may lead to such
vulnerability information being ineligible for a bounty.

Min/Max Critical High Medium Low

(CVSS 9.0 - 10.0) (CVSS 7.0 - 8.9) (CVSS 4.0 - 6.9) (CVSS <= 3.9)

Minimum $4,050 $2,450 $800 $100

Maximum $5,000 $3,960 $2,380 $760

Bounties will be limited on XSS (Reflected, Self, DOM) to a maximum payout of $200 unless specific
POC demonstrating access to critical data is provided.
Usually this will be demonstrated by chaining
multiple vulnerabilities. In these cases Nintendo in its discretion may award a higher bounty for the
exploit chain based on the complexity and effectiveness of the XSS exploit.
Domain takeovers will be capped at a maximum bounty of $300. If you can demonstrate access to
sensitive session cookies or tokens from other domains because of the domain takeover Nintendo will
consider an additional bounty based on the sensitivity of the tokens provided.
If Nintendo determines that the vulnerability information qualifies for a reward, the reward will be paid
after Nintendo has triaged the vulnerability information, but no later than four (4) weeks after triage.

https://hackerone.com/nintendo-server?type=team 3/9
1/11/21 22:09 Nintendo Server Bug Bounty Program - Bug Bounty Program | HackerOne

Disclosure of Vulnerability Information

We encourage you to let us know as soon as possible of applicable vulnerability information that you are
aware of. We’ll investigate all legitimate vulnerability information and do our best to quickly resolve the
issue. Nintendo is open to coordinating disclosure of resolved vulnerabilities in the interest of furthering
the greater security community.

You agree that you shall not disclose vulnerability information reported to Nintendo that is eligible for a
reward from Nintendo to any other third party until granted permission to do so from Nintendo.

Usually, we grant such permission within two (2) to four (4) weeks from the release of the fix that
addresses the vulnerability. You agree that you shall not disclose vulnerability information reported to
Nintendo that is not eligible for a reward from Nintendo to any other third party for ninety (90) days after
reporting, unless granted permission to do so from Nintendo

Legal
You agree that you will not violate any law, or disrupt or compromise any data that is not your own in
connection with reporting vulnerability information to Nintendo.

Nintendo reserves the right to modify the terms of this program at any time.

You have no obligation to provide Nintendo with the abovementioned security and vulnerability
information. However, you agree that by submitting such information to Nintendo, even if the information
is not eligible for a reward, you grant Nintendo a worldwide, perpetual, irrevocable, non-exclusive,
transferable, sublicenseable, fully-paid and royalty-free license under any and all intellectual property
rights that you own or control to use, copy, modify, create derivative works based upon and otherwise
exploit such information for any purpose.

Nintendo will not grant rewards to people (i) who are/were employed by Nintendo or third parties that
are/were engaged in developing code and/or hardware for Nintendo or (ii) who have been under contract
to provide security services to Nintendo or its affiliates in the previous six (6) months.

Thank you for helping keep Nintendo and our users safe!
Last updated on April 16, 2021. View changes
https://hackerone.com/nintendo-server?type=team 4/9
1/11/21 22:09 Nintendo Server Bug Bounty Program - Bug Bounty Program | HackerOne

Scopes

In Scope

Domain www.nintendo.com Critical Eligible

www.nintendo-europe-sales.com
Domain Please do not register for accounts as this is a production site. Critical Eligible
Alternate Name https://www.nintendo-europe-media.com

Domain www.nintendo.de Critical Eligible

prn-wfx.nintendo.eu
Domain Critical Eligible
Alternate name: https://noe-wfx.nintendo.eu

Domain rds2.nintendo.eu Critical Eligible

Domain adfs.noa.nintendo.com Critical Eligible

Domain ammobile.nintendo.com Critical Eligible

Domain cstech.nintendo.com Critical Eligible

Domain dns1.nintendo.com Critical Eligible

Domain dns2.nintendo.com Critical Eligible

en-americas-support.nintendo.com
Domain Other languages at fr-americas-support, es-americas-support, pt- Critical Eligible
americas-support

https://hackerone.com/nintendo-server?type=team 5/9
1/11/21 22:09 Nintendo Server Bug Bounty Program - Bug Bounty Program | HackerOne

Domain gate-prime.nintendo.com Critical Eligible

Domain gate-secure.nintendo.com Critical Eligible

Domain gtm-west.nintendo.com Critical Eligible

store.nintendo.com
Domain Please limit testing to 100 requests/minute due to database Critical Eligible
constraints.

Domain Mynintendostore.nintendo.de Critical Eligible

The entry page is
https://www.nintendo.ch/de/Einkaufen/Einkaufsoptionen-auf-der-
Nintendo-Webseite-1114919.html. The entry pages and all
mynintendostore.nintendo.* are in scope.

Notes:

Alternate domains are mynintendostore.nintendo.

[de|ch|it|fr|be|nl|es|it|pt]

The entry pages are in scope, but the general marketing domains are
not.

Alternative Entry Pages:

https://www.nintendo.ch/de/Einkaufen/Einkaufsoptionen-auf-der-
Nintendo-Webseite-1114919.html

https://www.nintendo.at/My-Nintendo-Store/My-Nintendo-Store-
1114919.html

https://www.nintendo.fr/My-Nintendo-Store/My-Nintendo-Store-
1114919.html

https://www.nintendo.be/fr/My-Nintendo-Store/My-Nintendo-
Store-1114919.html

https://www.nintendo.ch/fr/Achats/Options-d-achat-sur-le-site-
web-de-Nintendo-1114919.html

https://www.nintendo.es/My-Nintendo-Store/My-Nintendo-Store-
1114919.html

https://hackerone.com/nintendo-server?type=team 6/9
1/11/21 22:09 Nintendo Server Bug Bounty Program - Bug Bounty Program | HackerOne

https://www.nintendo.nl/My-Nintendo-Store/My-Nintendo-Store-
1114919.html

https://www.nintendo.be/nl/My-Nintendo-Store/My-Nintendo-
Store-1114919.html

https://www.nintendo.it/My-Nintendo-Store/My-Nintendo-Store-
1114919.html

https://www.nintendo.ch/it/Acquisti/Opzioni-d-acquisto-sul-sito-
Nintendo-1114919.html

https://www.nintendo.pt/My-Nintendo-Store/My-Nintendo-Store-
1114919.html

nesc.nintendo.com
Domain Please limit testing to 100 requests/minute due to database Critical Eligible
constraints.

Domain nftp.nintendo.com Critical Eligible

Domain noa01airwtch02.noa.nintendo.com Critical Eligible

Domain noa3dns-w.nintendo.com Critical Eligible

parentalcontrols.nintendo.com
Domain Please limit testing to 100 requests/minute due to database Critical Eligible
constraints.

Domain play.nintendo.com Critical Eligible

store.nintendo.com.br
Please limit testing to 100 requests/minute due to database
Domain constraints. Critical Eligible

Alternate language store.nintendo.co

Domain download.nintendo.es Critical Eligible

https://hackerone.com/nintendo-server?type=team 7/9
1/11/21 22:09 Nintendo Server Bug Bounty Program - Bug Bounty Program | HackerOne

Domain searching.nintendo-europe.com Critical Eligible

Domain nintendo-europe-media.com Critical Eligible

Domain *.nintendo-europe.com Critical Eligible

Domain *.nintendo.nl Critical Eligible

Domain *.nintendo.be Critical Eligible

Domain *.nintendo.lu Critical Eligible

Domain nintendo.comserve-nl.com Critical Eligible

www.nintendo.com.au
Staging sites that shouldn't be accessible, but are in scope
Domain Critical Eligible
https://nintendocomau-stage.corewebdna.com/
https://nshopnintendocomau-stage.corewebdna.com/
https://shopmembersnintendocomau-stage.corewebdna.com/

store.nintendo.com.au
Domain Please limit testing to 100 requests/minute due to database Critical Eligible
constraints.

library-dev.id.nintendo.net
Domain Please limit testing to 100 requests/minute due to database Critical Eligible
constraints.

library-dev.accountportal.nintendo.net
Domain Please limit testing to 100 requests/minute due to database Critical Eligible
constraints.

Domain joyconrepair.nintendo.com Critical Eligible

https://hackerone.com/nintendo-server?type=team 8/9
1/11/21 22:09 Nintendo Server Bug Bounty Program - Bug Bounty Program | HackerOne

CIDR 103.36.5.64/27 Critical Eligible

CIDR 220.244.114.32/27 Critical Eligible

Out of Scope

vpn.nintendo.com
Includes:

vpn1.nintendo.com.
Domain
vpn2.nintendo.com.
vpn3.nintendo.com
vpn5.nintendo.com
vpn6.nintendo.com

Download Burp Suite Project Configuration file (74 URLs) View changes Last updated on September 24, 2021.

© HackerOne Directory Security Leaderboard Blog Docs Support Disclosure Guidelines Press Privacy Terms 

https://hackerone.com/nintendo-server?type=team 9/9