SpaceX bug bounty offers up to $25,000 per Starlink exploit

SpaceX is offering between $100 and $25,000 in bounties to hackers who report exploits to the company through their website.

The spacecraft manufacturer has set up a dedicated page on crowdsourced bug bounty platform Bugcrowd, giving would-be white hats a centralised method for reporting un-patched SpaceX and Starlink exploits.

Hackers who submit reports on network vulnerabilities can expect up to $10,000, while on a “case-by-case” basis those who discover and report vulnerabilities with Starlink dishes, satellites or other such hardware can receive up to $25,000.

According to its Bugcrowd page, SpaceX has so far rewarded 41 vulnerability reports, at an average of $972 each. A more comprehensive list of prices per type of vulnerability discovered can be found on the page, but SpaceX specifically forbids physical tampering with its infrastructure or that of Starlink’s, as well as testing that could directly impact its services.

In a document shared by SpaceX titled ‘Starlink welcomes security researchers (bring on the bugs), the company outlines its position on bug bounties.

“We allow responsible security researchers to do their own testing, and we provide monetary rewards when they find and report vulnerabilities,” states the document.

“We recognize and appreciate the support of the broader security community in making Starlink better and more secure. We encourage researchers to test Starlink for security issues in a non-destructive way and to report their findings through our bug bounty program.”

SpaceX further states that it considers vulnerability research within its bug bounty policies to be exempt from Digital Millennium Copyright Act (DMCA) claims, legal action as a result of Computer Fraud and Abuse Act (CFAA) violation, and SpaceX terms and conditions that would interfere with research.

Bug bounties are a popular form of publicly-sourced testing for companies, that offer white hat hackers lucrative rewards and permission to attempt to hack some of the most challenging commercial security systems, in return for information on any vulnerabilities that they discover.

In June, an employee working for the vulnerability coordination platform HackerOne was found to have been stealing and re-submitting bug bounties for personal profit and was subsequently fired.

The Starlink constellation, which aims to provide satellite broadband access to customers worldwide, is rapidly growing. With over 2,500 satellites currently in orbit and an end goal of 12,000 having been approved by the FCC, it is a frontrunner in the growing race for satellite internet dominance, which has already spawned disagreements as well as interest from agencies such as DARPA.