Nintendo Server Bug Bounty Program - Bug Bounty Program - HackerOne
Nintendo Server Bug Bounty Program - Bug Bounty Program - HackerOne
Nintendo Server Bug Bounty Program - Bug Bounty Program - HackerOne
You are viewing a private program. It's only visible to invited hackers. Please do not discuss the program publicly yet.
Nintendo’s goal is to provide a secure environment for our customers so that they can enjoy our games 3 days
and services. In order to achieve this goal, Nintendo is interested in receiving server and website-related Average time to triage
vulnerability information that researchers may discover that are (i) listed under the In Scope heading at the
bottom of this page and (ii) not listed under the Out of Scope or Exclusion headings below. 93% of reports
To report console-related vulnerability information, please review Nintendo’s Console Bug Bounty Meet response standards
Based on last 90 days
Program.
Nintendo reserves the right to choose whether or not it will address any reported vulnerabilities. Nintendo
Program Statistics
will aim to respond to new reports of vulnerability information within five (5) business days of first Updated Daily
receiving the report and, if applicable, triage such vulnerability information within ten (10) business days of
first receiving the report. 170
Reports received in the last 90 days
Exclusions
https://hackerone.com/nintendo-server?type=team 1/9
1/11/21 22:09 Nintendo Server Bug Bounty Program - Bug Bounty Program | HackerOne
To ensure the availability of our services to our users, we ask that you please refrain from conducting the 10 days ago
activities listed below, which are not acceptable submissions under Nintendo’s Server Bug Bounty Last report resolved
Program:
214
DDOS, DOS, Brute-force attacks or activity that could lead to disruption of our services
Reports resolved
Leverage black hat SEO techniques
Spamming
226
Using any testing tools that automatically generate very significant volumes of traffic
Hackers thanked
Social engineering (including phishing) of Nintendo staff or contractors
Any physical attempts against Nintendo property or data centers
Reporting Clickjacking on pages with no sensitive actions
Reporting Unauthenticated/login/logout CSRF Top hackers
Reporting attacks requiring MITM or physical access to a user's device
fqdn
Reporting Reflected XSS or Host Header injection without POC demonstrating exploit Reputation:1055
Reporting lack of security-related headers (content-security-policy, public-key-pins, x-xss-protection,
x-content-type-options, x-frame-options, etc.) without POC demonstrating exploit cmd-0_0
Reporting 0-day exploits without reasonable time to patch Reputation:902
Reporting Autocomplete enabled, missing best practices in SSL/TLS, missing HSTS, lack of HTTPOnly
rz01
or Secure flags on non-session cookies, or DNSSEC configuration. Reputation:733
Reporting user enumeration attacks
Reporting password re-use attacks 0xd0m7
Reporting Content spoofing and text injection without showing an attack vector Reputation:353
Nintendo may award a discretionary bounty on Critical “Responsible Disclosure Reports” that aren’t your feedback for an invitation
specifically out of scope. The report must have a final CVSS severity rating between 9.0-10.0 to qualify, to another program!
and will only be awarded to the first reporter. All other Responsible Disclosure Reports are not eligible Leave Program
for a reward.
Vulnerability information that is already known to Nintendo or the public, for example, does not
qualify for a reward.
Nintendo uses CVSS version 3.0 (see chart below) to score vulnerabilities and the CVSS score
determines the qualifying reward with a maximum of $5,000 for a CVSS score of 10.0.
Rewards will not be issued to individuals who are on sanction lists, or who are in countries on sanction
lists.
Publicly disclosing vulnerability information without Nintendo’s permission may lead to such
vulnerability information being ineligible for a bounty.
(CVSS 9.0 - 10.0) (CVSS 7.0 - 8.9) (CVSS 4.0 - 6.9) (CVSS <= 3.9)
Bounties will be limited on XSS (Reflected, Self, DOM) to a maximum payout of $200 unless specific
POC demonstrating access to critical data is provided.
Usually this will be demonstrated by chaining
multiple vulnerabilities. In these cases Nintendo in its discretion may award a higher bounty for the
exploit chain based on the complexity and effectiveness of the XSS exploit.
Domain takeovers will be capped at a maximum bounty of $300. If you can demonstrate access to
sensitive session cookies or tokens from other domains because of the domain takeover Nintendo will
consider an additional bounty based on the sensitivity of the tokens provided.
If Nintendo determines that the vulnerability information qualifies for a reward, the reward will be paid
after Nintendo has triaged the vulnerability information, but no later than four (4) weeks after triage.
https://hackerone.com/nintendo-server?type=team 3/9
1/11/21 22:09 Nintendo Server Bug Bounty Program - Bug Bounty Program | HackerOne
You agree that you shall not disclose vulnerability information reported to Nintendo that is eligible for a
reward from Nintendo to any other third party until granted permission to do so from Nintendo.
Usually, we grant such permission within two (2) to four (4) weeks from the release of the fix that
addresses the vulnerability. You agree that you shall not disclose vulnerability information reported to
Nintendo that is not eligible for a reward from Nintendo to any other third party for ninety (90) days after
reporting, unless granted permission to do so from Nintendo
Legal
You agree that you will not violate any law, or disrupt or compromise any data that is not your own in
connection with reporting vulnerability information to Nintendo.
Nintendo reserves the right to modify the terms of this program at any time.
You have no obligation to provide Nintendo with the abovementioned security and vulnerability
information. However, you agree that by submitting such information to Nintendo, even if the information
is not eligible for a reward, you grant Nintendo a worldwide, perpetual, irrevocable, non-exclusive,
transferable, sublicenseable, fully-paid and royalty-free license under any and all intellectual property
rights that you own or control to use, copy, modify, create derivative works based upon and otherwise
exploit such information for any purpose.
Nintendo will not grant rewards to people (i) who are/were employed by Nintendo or third parties that
are/were engaged in developing code and/or hardware for Nintendo or (ii) who have been under contract
to provide security services to Nintendo or its affiliates in the previous six (6) months.
Thank you for helping keep Nintendo and our users safe!
Last updated on April 16, 2021. View changes
https://hackerone.com/nintendo-server?type=team 4/9
1/11/21 22:09 Nintendo Server Bug Bounty Program - Bug Bounty Program | HackerOne
Scopes
In Scope
www.nintendo-europe-sales.com
Domain Please do not register for accounts as this is a production site. Critical Eligible
Alternate Name https://www.nintendo-europe-media.com
prn-wfx.nintendo.eu
Domain Critical Eligible
Alternate name: https://noe-wfx.nintendo.eu
en-americas-support.nintendo.com
Domain Other languages at fr-americas-support, es-americas-support, pt- Critical Eligible
americas-support
https://hackerone.com/nintendo-server?type=team 5/9
1/11/21 22:09 Nintendo Server Bug Bounty Program - Bug Bounty Program | HackerOne
store.nintendo.com
Domain Please limit testing to 100 requests/minute due to database Critical Eligible
constraints.
Notes:
The entry pages are in scope, but the general marketing domains are
not.
https://www.nintendo.ch/de/Einkaufen/Einkaufsoptionen-auf-der-
Nintendo-Webseite-1114919.html
https://www.nintendo.at/My-Nintendo-Store/My-Nintendo-Store-
1114919.html
https://www.nintendo.fr/My-Nintendo-Store/My-Nintendo-Store-
1114919.html
https://www.nintendo.be/fr/My-Nintendo-Store/My-Nintendo-
Store-1114919.html
https://www.nintendo.ch/fr/Achats/Options-d-achat-sur-le-site-
web-de-Nintendo-1114919.html
https://www.nintendo.es/My-Nintendo-Store/My-Nintendo-Store-
1114919.html
https://hackerone.com/nintendo-server?type=team 6/9
1/11/21 22:09 Nintendo Server Bug Bounty Program - Bug Bounty Program | HackerOne
https://www.nintendo.nl/My-Nintendo-Store/My-Nintendo-Store-
1114919.html
https://www.nintendo.be/nl/My-Nintendo-Store/My-Nintendo-
Store-1114919.html
https://www.nintendo.it/My-Nintendo-Store/My-Nintendo-Store-
1114919.html
https://www.nintendo.ch/it/Acquisti/Opzioni-d-acquisto-sul-sito-
Nintendo-1114919.html
https://www.nintendo.pt/My-Nintendo-Store/My-Nintendo-Store-
1114919.html
nesc.nintendo.com
Domain Please limit testing to 100 requests/minute due to database Critical Eligible
constraints.
parentalcontrols.nintendo.com
Domain Please limit testing to 100 requests/minute due to database Critical Eligible
constraints.
store.nintendo.com.br
Please limit testing to 100 requests/minute due to database
Domain constraints. Critical Eligible
https://hackerone.com/nintendo-server?type=team 7/9
1/11/21 22:09 Nintendo Server Bug Bounty Program - Bug Bounty Program | HackerOne
www.nintendo.com.au
Staging sites that shouldn't be accessible, but are in scope
Domain Critical Eligible
https://nintendocomau-stage.corewebdna.com/
https://nshopnintendocomau-stage.corewebdna.com/
https://shopmembersnintendocomau-stage.corewebdna.com/
store.nintendo.com.au
Domain Please limit testing to 100 requests/minute due to database Critical Eligible
constraints.
library-dev.id.nintendo.net
Domain Please limit testing to 100 requests/minute due to database Critical Eligible
constraints.
library-dev.accountportal.nintendo.net
Domain Please limit testing to 100 requests/minute due to database Critical Eligible
constraints.
https://hackerone.com/nintendo-server?type=team 8/9
1/11/21 22:09 Nintendo Server Bug Bounty Program - Bug Bounty Program | HackerOne
Out of Scope
vpn.nintendo.com
Includes:
vpn1.nintendo.com.
Domain
vpn2.nintendo.com.
vpn3.nintendo.com
vpn5.nintendo.com
vpn6.nintendo.com
Download Burp Suite Project Configuration file (74 URLs) View changes Last updated on September 24, 2021.
© HackerOne Directory Security Leaderboard Blog Docs Support Disclosure Guidelines Press Privacy Terms
https://hackerone.com/nintendo-server?type=team 9/9