DARPA starts its own bug bounty program for hackers and researchers


United States military branch, DARPA starts its own bug bounty program for hackers to find weaknesses in its SSITH Program

Now the U.S. military hardware arm, DARPA wants hackers to find weaknesses in its hardware. The Defense Advanced Research Projects Agency (DARPA) has announced a bug bounty program for security researchers and hackers to try and find exploits in new hardware-level security mechanisms that it has developed over the past few years to protect its products from cyberattacks.

What is DARPA?

DARPA or The Defense Advanced Research Projects Agency (DARPA) is an agency of the United States Department of Defense responsible for the development of emerging technologies for use by the military. It has been at the forefront in developing ways to target enemies through robots, UAVs, etc. It has also developed some unique hardware like Hydra: Undersea network of mobile unmanned sensors, QuASAR: Quantum Assisted Sensing and Readout, Boeing X-37, Blackjack.

Most of the products that DARPA develops are cutting edge military technology and therefore DARPA wished to have them cyber proof. Hence the bug bounty program. DARPA in collaboration with Synack will host a bug bounty program between July and September this year in which researchers from around the world will have an opportunity to take a crack at technologies developed under DARPA’s System Security Integration Through Hardware and Firmware (SSITH) effort.

Hackers and security researchers who qualify for the bug bounty program will be given access to emulated systems running on Amazon’s cloud infrastructure. Each emulated system will include SSITH hardware-security controls and run software stacks with known vulnerabilities. This is a big chance for hackers and security researchers to have a look-see into the working of the highly secretive DARPA tech.

Hackers who are able to find bugs and exploits in these systems by bypassing the in-place DARPA security mechanism will be eligible for handsome bug bounties ranging from tens of thousands to thousand bucks.

SSITH hardware defenses are focused on tackling seven vulnerabilities classes identified by the MITRE Common Weakness Enumeration Specification (CWE) and NIST. We’re asking ethical hackers and analysts to disclose weaknesses in the hardware defenses that could lead to exploitation via one of these vulnerability classes.

Keith Rebello, program manager, DARPA Microsystems Technology Office (MTO)

DARPA says that bugs including privilege escalation, memory overflow, data exfiltration, RCE and remote code injection will be eligible for the bug bounty. DARPA had launched the SSITH program in 2017 in collaboration with SRI International, University of Cambridge, the Massachusetts Institute of Technology (MIT), University of Michigan, and Lockheed Martin. SSITH program is devoted to making it harder for cybercriminals to exploit hardware vulnerabilities through software. Through this bug bounty program, DARPA hopes to learn about the weaknesses that the SSITH program may have.

If you are a hacker or a security researcher, sign up on DARPA’s Finding Exploits to Thwart Tampering (FETT). The eligibility will cover a Capture the Flag qualifier round. Hackers who are new to DARPA and not a part of Synack’s Red Team will need to pass a technical assessment as well.

So if you have it in you, here is a chance to find out what the world’s top and the secretive lab is developing.


About Author

"The Internet is the first thing that humanity has built that humanity doesn't understand, the largest experiment in anarchy that we have ever had." Eric Schmidt

Notify of
Inline Feedbacks
View all comments