Starlink is a SpaceX service for providing high speed internet via satellite. SpaceX welcomes researchers to test on their platform in a non-disruptive manner and submit findings as set forth below. SpaceX values the work done by security researchers in improving the security of our products and service offerings. We are committed to working with this community to verify, reproduce and respond to legitimate reported vulnerabilities. We encourage the community to participate in our responsible reporting process. Testing is only authorized on the targets listed as in scope (see the scope page).
Any domain/property of SpaceX not listed in the targets section is out of scope. This includes any/all subdomains not listed as in scope. If you happen to identify a security vulnerability on a target that is not in scope, but it demonstrably belongs to SpaceX, you can report it as set forth below. However, be aware that it is ineligible for rewards or points-based compensation.
While starlink.com is in scope (see scope section below for more details), we are not currently providing beta invites, credentials, or hardware to researchers. However, researchers are free to test on equipment they own or any in-scope targets that they have access to.
If you would like to participate in the Starlink beta and purchase hardware, please sign up with a personal email address on starlink.com. There is no guarantee you will be selected as a customer as the program is currently in invite-only beta.
While we use Bugcrowd as a platform for rewarding all issues, please report issues in satellites, Starlink Dishes, or other hardware directly to email@example.com, using our GPG key to encrypt reports containing sensitive information.
- As mentioned above, any testing that disrupts service to other users is considered out of scope.
- Any physical attacks on infrastructure beyond what you physically own is out of scope. More specifically, you are welcome to test on your own Starlink Dish, but attacks against any larger scale infrastructure (such as ground stations that affect multiple users) are prohibited.
- You are not permitted to chain exploits or perform post-exploitation activities on satellites or other critical infrastructure. If you think you have discovered an issue with a satellite (or are close to discovering one) stop immediately and report the finding.
Do not engage in any sort of physical attacks on SpaceX/Starlink infrastructure or conduct testing which could interfere with its stability or ability to provide service. If you believe you've found an issue that affects a satellite or other highly sensitive system, please stop and email firstname.lastname@example.org — we will work with you to safely complete a proof of concept.
If issues reported to our bug bounty program affect a third-party library, external project, or another vendor, SpaceX reserves the right to forward details of the issue to that third party without further discussion with the researcher. We will do our best to coordinate and communicate with researchers throughout this process.
Responsible Disclosure Guidelines
We will investigate legitimate reports and make every effort to quickly correct any vulnerability. To encourage responsible reporting, we will not take legal action against you nor ask law enforcement to investigate you provided you comply with the following Responsible Disclosure Guidelines and other rules and guidelines of this program:
- Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our services.
- Do not modify or access data that does not belong to you.
- Give SpaceX a reasonable time to correct the issue before making any information public.
When conducting vulnerability research according to this policy, we consider this research to be:
- Authorized in accordance with the Computer Fraud and Abuse Act (CFAA) (and/or similar state laws), and we will not initiate or support legal action against you for accidental, good faith violations of this policy;
- Exempt from the Digital Millennium Copyright Act (DMCA), and we will not bring a claim against you for circumvention of technology controls;
- Exempt from restrictions in our Terms & Conditions to the extent that they would interfere with conducting security research, and we waive those restrictions on a limited basis for work done under this policy; and
- Lawful, helpful to the overall security of the Internet, and conducted in good faith.
You are expected, as always, to comply with all applicable laws. If at any time you have concerns or are uncertain whether your security research is consistent with this policy, please inquire via email@example.com before going any further.
We pay rewards ranging from $100 to $25,000. Rewards are administered according to the following guidelines (see scope tab for target details):
- RCE: Up to $10,000
- SQLi: $500–$10,000
- XSS: $100–$1,000
- CSRF: $100–$500
- Authentication bypass: Up to $10,000
- Horizontal privilege escalation: $500-$3,000
- Vertical privilege escalation: $500–$10,000
Starlink Dish, satellite, or other products
- Case-by-case, up to $25,000 (report directly, see above). When triaging vulnerabilities, some of the factors we consider are:
- Target (Dish, satellite, router, backend infrastructure, etc.)
- Access required (physical, local network, authenticated, etc.)
- Privileges gained on target
- Persistence on target
|Technical severity||Reward range|
|p1 Critical||Up to: $25,000|
|p2 Severe||Up to: $10,000|
|p3 Moderate||Up to: $5,000|
|p4 Low||Up to: $1,000|
Our targets are separated in to two categories: web targets and product/infrastructure targets. These pay differently, as listed on the program details page.
In-scope web targets
In-scope product/infrastructure targets
Reminder: reports for these targets should be sent directly to firstname.lastname@example.org, and encrypted with our GPG key if needed.
- Hardware that you own or are authorized to test against (Starlink Dish/Router)
- *.starlinkisp.net (some services may be considered web targets, especially those which provide information only, such as dashboards)
Out of scope targets
The following finding types are specifically out of scope:
- Lack of MFA
- Open redirects (through headers and parameters) / Lack of security speedbump when leaving the site.
- Internal IP address disclosure.
- Accessible Non-sensitive files and directories (e.g. README.TXT, CHANGES.TXT, robots.txt, .gitignore, etc).
- Social engineering / phishing attacks.
- Self XSS.
- Text injection.
- Email spoofing (including SPF, DKIM, DMARC, From: spoofing, and visually similar, and related issues).
- Descriptive error messages (e.g. stack traces, application or server errors, path disclosure).
- Fingerprinting/banner disclosure on common/public services.
- Clickjacking and issues only exploitable through clickjacking.
- CSRF issues that don't impact the integrity of an account (e.g. log in or out, contact forms and other publicly accessible forms)
- Lack of Secure and HTTPOnly cookie flags (critical systems may still be in scope).
- Login or Forgot Password page brute force, account lockout not enforced, or insufficient password strength requirements
- Lack of rate limiting or other missing DOS protections.
- HTTPS mixed content scripts.
- Username / email enumeration by brute forcing / error messages (e.g. login / signup / forgotten password).
- Exceptional cases may still be in scope (e.g. ability to enumerate email addresses via incrementing a numeric parameter).
- Missing HTTP security headers.
- TLS/SSL Issues, including BEAST, BREACH, insecure renegotiation, bad cipher suite, expired certificates, etc.
- Cases which affect Starlink hardware (such as user data encryption in the Starlink Dish) may be in scope.
- Standard WPA cracking attacks, such as those that result from users choosing weak passwords.
- Denial of Service attacks.
- Out-of-date software.
- Use of a known-vulnerable component (exceptional cases, such as where you are able to provide proof of exploitation, may still be in scope).
- Physical attacks against SpaceX's Facilities/Property.