Results Of Darpa’s First Bug Bounty Program Released
The Defense Advanced Research Projects Agency (DARPA) partnered with the Department of Defense Digital Service (DDS) and Synack, to examine the implementation of security prototype developed through the DARPA System Security Integration Through Hardware (SSITH) program. The Finding Exploits to Thwart Tampering (FETT) bug bounty program focused on creating hardware security structures and associated designing tools to protect the system against hardware vulnerabilities that were exploited through software.
What is Bug Bounty?
A competitive model is employed which takes the use of security researchers and ethical hackers to their fullest potential to identify bugs or any other vulnerabilities within the systems used by the organization. These people are rewarded for their work. These rewards can be in the form of payments, recognition, free services, or products by the organization.
This program can either be implemented within the company and be self-managed or can be organized through crowdsourced security vendors.
FETT program started in July last year and continued till the month of October. More than 500 cybersecurity professionals became a part of this program. Then DARPA took around three months to conclude the actual results of the programs. Research professionals from Synack performed penetration tests on SSITH technologies.
Ten vulnerabilities were detected across 980 processors by FETT bug bounty under DARPA’s System Security Integration Through Hardware and Firmware or SSITH program. Out of these ten, seven were critical, and the other three highly critical.
“The majority of the bug reports did not come from the exploitation of the vulnerable software applications that we provided to the researchers, but rather from our challenge to the researchers to develop an application with a vulnerability that could be exploited in contradiction with the SSITH processors’ security claims,” said Keith Rebello, the DARPA’s program manager for SSITH and FETT.
“The final phase of the program will focus on continuing to advance the secure processors in development, ensuring they can protect against all of the weaknesses from the seven classes of the CWE hardware vulnerability classes that SSITH is focused on,” said Rebello.