Despite Nintendo’s Bounty Program, Hackers Think They Will Crack The Switch

In December of 2016, Nintendo launched a program with HackerOne, a service that provides bounties ranging from $US100 ($132) to $US20,000 ($26,430) for finding bugs and exploits, in order to stamp them out on the 3DS. This program has since been extended to the Switch, and so far has awarded three people with bounties. While some members of the Nintendo hacking community are frustrated by this, some of them see it as a good sign for the future of Switch hacking.

As you might know, the Wii U and the 3DS were both modded extensively by hackers over the years, and in 2017, there’s still a thriving community for Wii U hacks. Piracy also runs rampant on both platforms, with games like Pokémon Sun and Moon leaking early due to vulnerabilities on the 3DS.

Although both the 3DS and the Wii U were hacked extensively before Nintendo started their HackerOne program, presumably that precarious landscape is what prompted Nintendo to seek out a bounty program in the first place.

The Nintendo hacking community hopes that the Switch holds the same type of potential for homebrew, meaning, running a custom operating system that would able to load custom games and apps. Stan, who has been hacking consoles as a hobby for the past decade, told Kotaku that he believes that no matter what, the homebrewed Switches will happen. “[Nintendo is] nowhere near where Sony’s at with protecting their IP and their consoles from exploits and hacking.

So, it’s just like every other Nintendo console at this point.” In fact, earlier this year, a Switch vulnerability was already discovered using an iOS jailbreaking tool.

Nintendo’s HackerOne program has the stated goal of stamping out piracy, among other things. Curtisy1, a mod for the Wii U Hacks subreddit, said he hopes that the Switch will have less of a problem with piracy than the 3DS. “[Piracy] would probably make the console a Wii U 2.0 with cool things happening but massive loss of interest as well,” he said.

Some people in the Nintendo hacking community don’t like the idea that exploits would go to Nintendo before they get to play around with them. In a thread about the HackerOne program on the GBATemp forums, a community where people come together to talk hacking and emulation for game consoles, user Jeihfeng started a topic about Nintendo’s HackerOne program, saying that,”It seems as if a few hackers wouldn’t mind giving out their newfound exploits for some easy cash, hopefully for the sake of the Switch hacking scene, it isn’t the same with our own resident hackers.”

The initial discussion takes the same tone as Jeihgeng’s original post — with one person going so far as to call the people who cashed in on the HackerOne program, “snitches.”

Others assert that the HackerOne program might not be a bad thing. Curtisy1 doesn’t see the program as much of a hurdle for potential Switch hacks. “Imagine Nintendo patches an exploit which was submitted to them via HackerOne,” he said. “Skilled developers would just look at the changes made and have an entry point for free.”

Hackers and developers are already reading detailed updates whenever Nintendo patches the Switch, and the more that things change, the easier it will be to find vulnerabilities in the system. Curtisy1 also says that system updates don’t necessarily fix all bugs. “Sony just updated webkit with their most recent PS4 firmware and it’s more vulnerable than before according to some devs,” he said.

What tricky, then, is how money is going to change the community’s approach to hacking. Pustal on GBATemp said that this is a “ridiculously low price point for this kind of information.”

On the other hand, Arck, another user on GBATemp said that there’s two choices, “Being paid by Nintendo or a having a temporary moment of ‘glory.’” Granted, some of those “moments of glory,” can include drastically improving games — like the modder who created a way to upload levels made in Mario Maker for the 3DS, a feature confusingly not available in the base game.

Still, money is money.

Curtisy1 said that he sort of agrees that these prices seem low, for certain circumstances. “$US100 ($132) is way too cheap for all the work put into most privilege escalations, but 20k is kind of a big deal for some,” he said. “Some developers are fairly young, meaning high school or college, so they would probably willingly take the money for funding their education.”

He said that the bounty should depend on the time put in. The HackerOne program does not disclose the cash prize awarded to users to submit exploits.

Stan said that he thinks that people who submit exploits for payment are always going to feel like they should be getting more money. “Is what they’re paying fair? No one will ever agree on that,” he said. “The people who are finding the exploits will always want more than what they get.”

What the hacking community seems to come to a consensus about, however, is that a hacked Switch will eventually happen. “This program is just going to slow things down, maybe,” Stan said. “It might not even slow things down at all.”