DARPA FETT BUG BOUNTY PROGRAM
DARPA is announcing its first ever bug bounty program – the Finding Exploits to Thwart Tampering (FETT) Bug Bounty – to stress-test novel secure hardware architectures and designs in development on the DARPA System Security Integration Through Hardware and Firmware (SSITH) program. DARPA is partnering with the Department of Defense’s Defense Digital Service (DDS) and Synack, a trusted crowdsourced security company, on this effort that will run July to September 2020. FETT will utilize Synack’s community of 1,500 ethical hackers to Red Team these novel hardware defenses, as well as their established vulnerability disclosure process to execute the crowdsourced security engagement.
Everyone knows that software is vulnerable, and that software patching is a common fix to this problem. But many software attacks are exploiting weaknesses in the underlying hardware. If we could eliminate these hardware weaknesses, we could significantly reduce the volume and frequency of software patches, making devices safer and potentially improving performance in the process. Instead of relying on the software alone, what if we could make hardware a significant participant in cybersecurity?
In 2017, DARPA launched the SSITH program to create novel hardware defenses that can thwart the most common software exploitations of hardware vulnerabilities. Specifically, SSITH is developing secure processors to take on seven classes of hardware vulnerabilities that range from memory errors to code injection. These foul attacks seek to wreak havoc on electronic systems, just like your classic sci-fi villains. To help illustrate how these attacks work and their potential wrath, DARPA developed "The Malicious 7" – a cast of characters that personify each vulnerability class. With FETT, we're asking bounty hunters to help us ensure that SSITH's novel hardware defenses can generate a heroic outcome from electronic security. We want to know - can SSITH prevent the Malicious 7 from wreaking havoc once and for all?
For more information on the vulnerability disclosure process, visit our Bug Bounty page here.
For more information on the underlying technologies behind SSITH hardware defenses, visit our Technology page here.