SpaceX/Starlink

SpaceX produces rockets, provides launch services, and has developed Starlink - a SpaceX service for providing high speed internet via satellite. SpaceX welcomes researchers to test on their platform in a non-disruptive manner and submit findings as set forth below. SpaceX values the work done by security researchers in improving the security of our products and service offerings. We are committed to working with this community to verify, reproduce and respond to legitimate reported vulnerabilities. We encourage the community to participate in our responsible reporting process. Testing is only authorized on the targets listed as in scope (see the scope page).

Any domain/property of SpaceX not listed in the targets section is out of scope. This includes any/all subdomains and IPs not listed as in scope. If you happen to identify a security vulnerability on a target that is not in scope, but it demonstrably belongs to SpaceX, you can report it as set forth below. However, be aware that it is ineligible for rewards or points-based compensation.

---

Starlink Target Information

While starlink.com is in scope (see scope section below for more details), we are not currently providing service, credentials, or hardware to researchers. However, researchers are free to test on equipment they own or any in-scope targets that they have access to.

If you would like to participate in the Starlink program and purchase hardware, please sign up with a personal email address on starlink.com. Availability is dependent on location and desired class of service.

While we use Bugcrowd as a platform for rewarding all issues, please report issues in satellites, Starlink Dishes, or other hardware directly to vulnerabilityreporting@spacex.com, using our GPG key to encrypt reports containing sensitive information.

---

Researching Responsibly

• As mentioned above, any testing that disrupts service to other users is considered out of scope.
• Any physical attacks on infrastructure beyond what you physically own is out of scope. More specifically, you are welcome to test on your own Starlink Dish, but physical attacks against any larger scale infrastructure (such as ground stations that affect multiple users) are prohibited.
• You are not permitted to chain exploits or perform post-exploitation activities on satellites or other critical infrastructure. If you think you have discovered an issue with a satellite (or are close to discovering one) stop immediately and report the finding.
• You are expected to make a good faith disclosure to SpaceX with details of any findings.
• We support the open publication of security research. We do ask that you give us a heads-up before any publication so we can do a final sync-up and check.

Do not engage in any sort of physical attacks on SpaceX/Starlink infrastructure or conduct testing which could interfere with its stability or ability to provide service. If you believe you've found an issue that affects a satellite or other highly sensitive system, please stop and email vulnerabilityreporting@spacex.com — we will work with you to safely complete a proof of concept.

---

Third-party bugs

If issues reported to our bug bounty program affect a third-party library, external project, or another vendor, SpaceX reserves the right to forward details of the issue to that third party without further discussion with the researcher. We will do our best to coordinate and communicate with researchers throughout this process.

---

Responsible Disclosure Guidelines

We will investigate legitimate reports and make every effort to quickly correct any vulnerability. To encourage responsible reporting, we will not take legal action against you nor ask law enforcement to investigate you provided you comply with the following Responsible Disclosure Guidelines and other rules and guidelines of this program:

• Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our services.
• Do not modify or access data that does not belong to you.
• Give SpaceX a reasonable time to correct the issue before making any information public.
• Do not abuse vulnerabilities, or exploit them beyond the extent necessary to create a proof-of-concept.

---

Safe Harbor

When conducting vulnerability research according to this policy, we consider this research to be:

• Authorized in accordance with the Computer Fraud and Abuse Act (CFAA) (and/or similar state laws), and we will not initiate or support legal action against you for accidental, good faith violations of this policy;
• Exempt from the Digital Millennium Copyright Act (DMCA), and we will not bring a claim against you for circumvention of technology controls;
• Exempt from restrictions in our Terms & Conditions to the extent that they would interfere with conducting security research, and we waive those restrictions on a limited basis for work done under this policy; and
• Lawful, helpful to the overall security of the Internet, and conducted in good faith.

You are expected, as always, to comply with all applicable laws. If at any time you have concerns or are uncertain whether your security research is consistent with this policy, please inquire via support@bugcrowd.com before going any further.

---

Rewards

We pay rewards ranging from $100 to $50,000. Rewards are administered according to the following guidelines (see scope tab for target details):

Web/network targets

• RCE: Up to $50,000
• SQLi: $500–$50,000
• XSS: $100–$10,000
• CSRF: $100–$5,000
• Authentication bypass: Up to $50,000
• Horizontal privilege escalation: $500-$10,000
• Vertical privilege escalation: $500–$50,000

Starlink Dish, satellite, or other products

• Case-by-case, up to $100,000 (report directly, see above). When triaging vulnerabilities, some of the factors we consider are:
  • Target (Dish, satellite, router, backend infrastructure, etc.)
  • Access required (physical, local network, authenticated, etc.)
  • Privileges gained on target
  • Persistence on target