Summary by SpaceX/Starlink
While standing up new ground infrastructure, we exposed unauthenticated services externally. We appreciate this report that helped us quickly identify and remediate this in a responsible way.
SpaceX debug page accessible when using Starlink
Disclosed by JP_Bennett- Engagement SpaceX/Starlink
- Disclosed date almost 3 years ago
- Reward $4,800
- Priority P2 Bugcrowd's VRT priority rating
- Status Resolved This vulnerability has been accepted and fixed
Summary by JP_Bennett
Internal IPs discovered via a simple Traceroute had exposed ports when visiting from a Starlink ISP connection. What looked like an information disclosure only, was soon confirmed to be more serious due to an exposed GRPC endpoint that was unauthenticated.