DARPA Launches First Bug Bounty Program

DARPA is partnering with the Defense Digital Service (DDS) and Synack, a crowdsourced security company, to launch its first bug bounty program – the Finding Exploits to Thwart Tampering (FETT) Bug Bounty. FETT will involve hundreds of researchers, analysts, and reverse engineers examining the hardware architectures that are currently in development and seeking to uncover potential vulnerabilities or flaws that could weaken their defenses. FETT’s findings will help support the System Security Integration Through Hardware and Firmware (SSITH) program’s hardware security protections.

“The FETT Bug Bounty is a unique take on DARPA’s more traditional program evaluation efforts,” said Keith Rebello, the DARPA program manager leading SSITH and FETT. “FETT will open SSITH’s hardware security protections to a global community of ethical researchers with expertise in hardware reverse engineering to detect potential vulnerabilities, strengthen the technologies, and provide a clear path to disclosure.”

Bug bounty programs are used to assess and verify the security of a given technology, offering monetary rewards to encourage hackers to report potential weaknesses, flaws, or bugs in the technology. This is a form of public Red Teaming – the practice of rigorously challenging plans, policies, systems, and assumptions by adopting an adversarial approach. Most bug bounty programs focus on software evaluation, but FETT is making SSITH hardware security protections available for evaluation. Security researchers will be given access to emulated systems with software stacks on each emulated system containing known vulnerabilities along with the SSITH hardware security protections intended to prevent exploitation of these vulnerabilities. These vulnerabilities will include buffer errors, information leakage, resource management, numeric errors, etc. Security researchers will attempt to bypass the hardware security protections and share their findings through the established disclosure process.

Additional information is available at FETT.darpa.mil