DARPA launches FETT bug bounty
On July 15, DARPA announced that its first bug bounty program–Finding Exploits to Thwart Tampering (FETT)–has opened its virtual doors to a community of ethical hackers and cybersecurity researchers to uncover potential weaknesses within novel secure processors in development on the System Security Integration Through Hardware and Firmware (SSITH) program.
DARPA has partnered with the Department of Defense’s Defense Digital Service (DDS) and Synack, a trusted crowdsourced security company on this effort. FETT is utilizing Synack’s existing community of vetted ethical researchers called the Synack Red Team (SRT), artificial intelligence and machine learning enabled technology, as well as their crowdsourced security testing platform to execute the security engagement. The goal is to enable the research teams working under SSITH to improve their hardware defenses by addressing any discovered weaknesses or bugs following the conclusion of FETT.
To enable even greater participation in FETT from the global cybersecurity community, Synack recently conducted a Capture-the-Flag (CTF) qualifier event that provided interested cyber enthusiasts with a chance to earn a Technical Assessment “Fast Pass” to the Synack Red Team. Anyone that was able to successfully complete the qualifier and meet certain legal verification requirements now has access to FETT and the SSITH defenses for analysis.
“Over 500 researchers registered for Synack’s open Capture-the-Flag qualifier and 24 ultimately qualified for the Technical Assessment ‘Fast Pass’, which is attributed to the high bar set for skilled participants,” said Keith Rebello, the DARPA program manager leading SSITH and FETT. “We are encouraged by the level of interest we’re seeing in our effort and the positive turnout from the cybersecurity community to help improve electronic system security for all.”
Qualified participants, including those on Synack’s platform as well as the newly qualified candidates, will now gain access to several instances of the SSITH secure processors. At the launch of FETT, five instances will be available for hacking while an additional three will be made available throughout the duration of the bug bounty program. These secure processors map to the target systems that SSITH aimed to develop during the first two phases of the program, which include 32-bit and 64-bit processors that use the novel defenses.
“We are raising the bar of our cybersecurity position by embracing the security researcher community,” said Brett Goldstein, director of Defense Digital Service. “We have to move away from cybersecurity via obscurity and leverage the best skills available to protect our nation.”
Within FETT, security researchers will analyze and explore secure hardware architectures and approaches developed by research teams from the University of Cambridge and SRI International; University of Michigan; Lockheed Martin; and Massachusetts Institute of Technology.