DARPA FETT BUG BOUNTY PROGRAM
DARPA’s first ever bug bounty program – the Finding Exploits to Thwart Tampering (FETT) Bug Bounty –stress-tested novel secure hardware architectures and designs in development on the DARPA System Security Integration Through Hardware and Firmware (SSITH) program. DARPA partnered with the Department of Defense’s Defense Digital Service (DDS) and Synack, a trusted crowdsourced security company, on this effort that ran from July to October 2020. Researchers and ethical hackers were invited to attack SSITH technology, with cash rewards offered for successful attacks. Nearly 600 researchers spent more than 13,000 hours attacking SSITH defenses. Overall, only 10 attacks were successful, leading to the deployment and successful verification of three fixes during the course of the competition. The remaining vulnerabilities will be fixed during the final phase of the program.
In 2017, DARPA launched the SSITH program to create novel hardware defenses that can thwart the most common software exploitations of hardware vulnerabilities. Specifically, SSITH is developing secure processors to take on seven classes of hardware vulnerabilities that range from memory errors to code injection. These foul attacks seek to wreak havoc on electronic systems, just like your classic sci-fi villains. To help illustrate how these attacks work and their potential wrath, DARPA developed "The Malicious 7" – a cast of characters that personify each vulnerability class. With FETT, we asked bounty hunters to help us ensure that SSITH's novel hardware defenses can generate a heroic outcome from electronic security. We want to know - can SSITH prevent the Malicious 7 from wreaking havoc once and for all?
For more information on the vulnerability disclosure process, visit our Bug Bounty page here.
For more information on the underlying technologies behind SSITH hardware defenses, visit our Technology page here.