БЛОГ

Jul 9, 2020

DARPA Announces First Bug Bounty Program to Hack SSITH Hardware Defenses

Posted by in categories: cybercrime/malcode, internet, mobile phones, robotics/AI

Electronic systems – from the processors powering smartphones to the embedded devices keeping the Internet of Things humming – have become a critical part of daily life. The security of these systems is of paramount importance to the Department of Defense (DoD), commercial industry, and beyond. To help protect these systems from common means of exploitation, DARPA launched the System Security Integration Through Hardware and Firmware (SSITH) program in 2017. Instead of relying on patches to ensure the safety of our software applications, SSITH seeks to address the underlying hardware vulnerabilities at the source. Research teams are developing hardware security architectures and tools that protect electronic systems against common classes of hardware vulnerabilities exploited through software.

To help harden the SSITH hardware security protections in development, DARPA today announced its first ever bug bounty program called, the Finding Exploits to Thwart Tampering (FETT) Bug Bounty. FETT aims to utilize hundreds of ethical researchers, analysts, and reverse engineers to deep dive into the hardware architectures in development and uncover potential vulnerabilities or flaws that could weaken their defenses. DARPA is partnering with the DoD’s Defense Digital Service (DDS) and Synack, a trusted crowdsourced security company on this effort. In particular, FETT will utilize Synack’s existing community of vetted, ethical researchers as well as artificial intelligence (AI) and machine learning (ML) enabled technology along with their established vulnerability disclosure process to execute the crowdsourced security engagement.

Bug bounty programs are commonly used to assess and verify the security of a given technology, leveraging monetary rewards to encourage hackers to report potential weaknesses, flaws, or bugs in the technology. This form of public Red Teaming allows organizations or individual developers to address the disclosed issues, potentially before they become significant security challenges.

Comments are closed.