"DARPA Announces Results of First Hardware Bug Bounty"

The Defense Advanced Research Agency (DARPA) has announced the results of its Findings Exploits to Thwart Tampering (FETT) Bug Bounty program. The purpose of the FETT Bug Bounty was to prove the value of secure hardware architectures developed under DARPA's System Security Integration Through Hardware and Firmware (SSITH) program and highlight critical areas in need of more attention to strengthen defenses. DARPA collaborated with the Department of Defense's Defense Digital Service (DDS) and the crowdsourced security platform Synack on this effort. Synack's penetration testing process was used to conduct the bug bounty and support communications relating to discovered vulnerabilities. DARPA is sharing the results of the FETT Bug Bounty program after three months of reviewing over 13,000 hours of hacking exploits performed by more than 580 cybersecurity researchers. The Synack Red Team (SRT) disclosed ten vulnerabilities, seven of which were rated "critical," while the remaining three were considered "high," based on the Common Vulnerability Scoring System 3.0 standards. Most of the critical vulnerabilities identified during FETT stemmed from interactions between the SSITH hardware, SSITH firmware, and the operating system software, indicating the need to further investigate hardware/software co-design approaches and verification methods. This article continues to discuss the purpose, structure, and outcomes of DARPA's FETT Bug Bounty program, as well as the objective and current status of the SSITH program. 

Homeland Security Today reports "DARPA Announces Results of First Hardware Bug Bounty"