DARPA initiates bug bounty program

Defense Advanced Research Project Agency (DARPA) officials said the organization has launched Finding Exploits to Thwart Tampering (FETT), its inaugural bug bounty program.

The endeavor, which officials said seeks to uncover potential weaknesses within new secure processors in development on the System Security Integration Through Hardware and Firmware (SSITH) program, opens virtual doors to a community of ethical hackers and cybersecurity researchers.

DARPA has partnered with the Department of Defense’s Defense Digital Service (DDS) and Synack, a trusted crowdsourced security company.

“Over 500 researchers registered for Synack’s open Capture-the-Flag qualifier and 24 ultimately qualified for the Technical Assessment ‘Fast Pass’, which is attributed to the high bar set for skilled participants,” Keith Rebello, the DARPA program manager leading SSITH and FETT, said. “We are encouraged by the level of interest we’re seeing in our effort and the positive turnout from the cybersecurity community to help improve electronic system security for all.”

The overarching goal, officials said, is to enable the research teams working under SSITH to improve hardware defenses by addressing any discovered weaknesses or bugs – noting security researchers would analyze and explore secure hardware architectures and approaches developed by research teams from the University of Cambridge and SRI International; University of Michigan; Lockheed Martin; and Massachusetts Institute of Technology.

“We are raising the bar of our cybersecurity position by embracing the security researcher community,” Brett Goldstein, director of Defense Digital Service, said. “We have to move away from cybersecurity via obscurity and leverage the best skills available to protect our nation.”