DARPA’s first ever bug bounty program – the Finding Exploits to Thwart Tampering (FETT) Bug Bounty –stress-tested novel secure hardware architectures and designs in development on the DARPA System Security Integration Through Hardware and Firmware (SSITH) program. DARPA partnered with the Department of Defense’s Defense Digital Service (DDS) and Synack, a trusted crowdsourced security company, on this effort that ran from July to October 2020. Researchers and ethical hackers were invited to attack SSITH technology, with cash rewards offered for successful attacks. Nearly 600 researchers spent more than 13,000 hours attacking SSITH defenses. Overall, only 10 attacks were successful, leading to the deployment and successful verification of three fixes during the course of the competition. The remaining vulnerabilities will be fixed during the final phase of the program.

In 2017, DARPA launched the SSITH program to create novel hardware defenses that can thwart the most common software exploitations of hardware vulnerabilities. Specifically, SSITH is developing secure processors to take on seven classes of hardware vulnerabilities that range from memory errors to code injection. These foul attacks seek to wreak havoc on electronic systems, just like your classic sci-fi villains. To help illustrate how these attacks work and their potential wrath, DARPA developed "The Malicious 7" – a cast of characters that personify each vulnerability class. With FETT, we asked bounty hunters to help us ensure that SSITH's novel hardware defenses can generate a heroic outcome from electronic security. We want to know - can SSITH prevent the Malicious 7 from wreaking havoc once and for all?

For more information on the vulnerability disclosure process, visit our Bug Bounty page here.

For more information on the underlying technologies behind SSITH hardware defenses, visit our Technology page here.



You are now leaving the website that is under the control and management of DARPA. The appearance of hyperlinks does not constitute endorsement by DARPA of non-U.S. Government sites or the information, products, or services contained therein. Although DARPA may or may not use these sites as additional distribution channels for Department of Defense information, it does not exercise editorial control over all of the information that you may find at these locations. Such links are provided consistent with the stated purpose of this website.

After reading this message, click  to continue immediately.

Go Back