Security Experts:

Connect with us

Hi, what are you looking for?



DARPA Bug Bounty Program Seeks to Harden SSITH Hardware Protections

The Defense Advanced Research Projects Agency (DARPA) is running a bug bounty program in an effort to find security vulnerabilities in a new, advanced implementation of the System Security Integration Through Hardware and Firmware (SSITH) program.

The Defense Advanced Research Projects Agency (DARPA) is running a bug bounty program in an effort to find security vulnerabilities in a new, advanced implementation of the System Security Integration Through Hardware and Firmware (SSITH) program.

DARPA launched SSITH in 2017 to help protect electronic systems from common means of exploitation by addressing the underlying hardware vulnerabilities at the source. With the new bug bounty program, DARPA is looking to harden SSITH hardware security protections in development.

Called Finding Exploits to Thwart Tampering (FETT) Bug Bounty, the program is run in collaboration with the Department of Defense’s Defense Digital Service (DDS) and crowdsourced security platform Synack.

Unlike most bug bounty programs, which focus on software evaluation, FETT is opening hardware instances for Red Teaming. Participating researchers will be provided with access to emulated systems running in the Amazon Web Services (AWS) EC2 F1 cloud.

The FPGA-based emulated systems include a RISC-V processor core that includes the SSTIH-developed hardware security protections. Exploitation of known vulnerabilities expected in the software stack on each emulated system will be prevented through the SSITH protections.

Vulnerabilities will be based on common classes of security weaknesses as identified by the MITRE Common Weakness Enumeration Specification (CWE) and NIST (such as buffer errors, information leakage, resource management, and more), and participating security researchers will need to devise exploit mechanisms to bypass SSITH protections.

As part of the FETT Bug Bounty, researchers will test the implemented SSITH defenses of electronic system application frameworks such as a medical records database system, a password authentication system for personal computers, and several other programs.

A vulnerable web-based voter registration system is also included in the bug bounty program, with the SSITH implementation looking to protect underlying voter information, to demonstrate that it could help keep critical infrastructure secure.

“The FETT Bug Bounty is a unique take on DARPA’s more traditional program evaluation efforts,” Keith Rebello, the DARPA program manager leading SSITH and FETT, said. “FETT will open SSITH’s hardware security protections to a global community of ethical researchers with expertise in hardware reserve engineering to detect potential vulnerabilities, strengthen the technologies, and provide a clear path to disclosure.”

All security researchers, reverse engineers, and ethical hackers looking to participate in FETT are invited to take part in a Capture-the-Flag (CTF) qualifier, where those who are not currently part of the Synack Red Team (SRT) will have the opportunity to earn a Technical Assessment ‘Fast Pass’ to join SRT — the legal verification steps are still required.

The CTF event is schedule to run between June 15 and June 29, 2020. Interested parties can register on this page. Current SRT members who meet the skills criteria will be granted access to the program throughout the life of the engagement.

Related: Tencent Partners With HackerOne for Bug Bounty Program

Related: Zoom Revamps Bug Bounty Program

Related: DARPA Wants Hardware With Built-in Security

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this webinar to learn best practices that organizations can use to improve both their resilience to new threats and their response times to incidents.


Join this live webinar as we explore the potential security threats that can arise when third parties are granted access to a sensitive data or systems.


Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.


Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Management & Strategy

SecurityWeek examines how a layoff-induced influx of experienced professionals into the job seeker market is affecting or might affect, the skills gap and recruitment...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...


Apple has released updates for macOS, iOS and Safari and they all include a WebKit patch for a zero-day vulnerability tracked as CVE-2023-23529.


Patch Tuesday: Microsoft warns vulnerability (CVE-2023-23397) could lead to exploitation before an email is viewed in the Preview Pane.

Application Security

Drupal released updates that resolve four vulnerabilities in Drupal core and three plugins.


Twenty-one cybersecurity-related M&A deals were announced in December 2022.