This information is published in accordance with Nintendo’s obligations under the Product Security and Telecommunications Infrastructure Act 2022 and the Product Security and Telecommunications Infrastructure (Security Requirements for Relevant Connectable Products) Regulations 2023.

The information published relates solely to product security; it is not a guarantee or promise relating to the availability of any online service provided by Nintendo.

1. Information on defined support periods

The minimum length of time for which security updates will be provided for each of the following products is set out in the table below.

* The defined support period is the minimum length of time for which software updates will be provided by Nintendo as and when necessary to protect or enhance the security of the products listed above. Nintendo may extend the defined support period from time to time to ensure the continued compatibility and the security of the products and their compliance with any applicable laws, and updates will be published on this webpage. Please note that the information published here relates solely to security updates; it is not a guarantee or promise relating to the availability of any online services provided by Nintendo.

** These dates given here, set based on European law requirements, indicate a date two years after the date of the latest update of this webpage, and may be extended from time to time.

Date of last webpage update: 29 April 2024

2. Vulnerability Disclosure Policy for the UK

Nintendo is making its UK vulnerability disclosure policy publicly available. This policy sets out the processes by which security researchers and others may report issues to Nintendo about possible vulnerabilities in its hardware and software, and the third party software used on its hardware.

This policy may be updated from time to time to ensure Nintendo maintains transparency and clarity in dealing with security researchers and others making reports.

This policy includes:

(i) a clear explanation of the points of contact for the reporting of issues; and

(ii) information on expected timelines for the initial acknowledgement of receipt and status updates until the resolution of the reported issues.

Points of contact for the reporting of security issues or vulnerabilities

All genuine security issues or vulnerabilities with the products listed below should be reported to PSTI-Report@nintendo.co.uk:

• Nintendo Switch Consoles
• Nintendo Switch Dock with LAN port
• Software for Nintendo Switch Consoles accessible to users in the United Kingdom

Please follow these instructions when you submit your report:

Include the following information in your report:

• Product name
• System version / patch number
• Steps to reproduce the issue
• Detail of vulnerability, and any suggestions to fix the issue
• Impact of the vulnerability
• Proof-of-Concept / functional sample if available;

Reward Programme:

Nintendo has enlisted the help of the HackerOne community to coordinate global vulnerability reports, pay out bug bounties and make its products more secure. If you wish to submit a report about products in scope* through HackerOne, please:

(1) email us the report ID number of HackerOne via PSTI-Report@nintendo.co.uk to receive acknowledgement of receipt and regular updates, otherwise we will not be able to track your report; and

(2) do not submit your report via email as this creates unnecessary duplication and you will not be rewarded for reports submitted outside the HackerOne programme.

* To find out which products are included in the bug bounty program, please visit https://hackerone.com/nintendo/policy_scopes

What to expect when you submit a report

When you submit a genuine report on an issue affecting security to Nintendo via the email address set out above as the point of contact, Nintendo will provide you with certain updates:

(i) You will receive an initial acknowledgement of receipt of your report within 7 working days from the date on which the report is submitted; and

(ii) You will also receive status update(s) on your security report at least every four weeks until the resolution of the issue that you reported.

In relation to the status updates, Nintendo will always act on any reported vulnerabilities in a timely manner. However, the timeframes for investigating and reporting on any vulnerability are always incident-specific.

Please note that if you are reporting on a vulnerability relating to third-party games that are playable on Nintendo consoles, the timeframe for completing the processes is dependent on the third party and therefore outside of Nintendo’s control.

Date of last webpage update: 29 April 2024