SpaceX is not only welcoming hackers to find holes in Starlink security; they are paying people to do it!
Earlier this week, we reported Lennert Wouters‘s hack of a Starlink dish and presentation at the Black Hat security conference in Las Vegas.
After that news hit the media, SpaceX responded by saying there were encouraging hacks. The company wrote a blog noting that it welcomes security researchers to hack the system and wants to “bring on the bugs’.
As per SpaceX’s Bugcrowd account, the payoffs for successful hacks range from $100 to $25,000.
Here is the full list of the rewards:
- RCE: Up to $10,000
- SQLi: $500–$10,000
- XSS: $100–$1,000
- CSRF: $100–$500
- Authentication bypass: Up to $10,000
- Horizontal privilege escalation: $500-$3,000
- Vertical privilege escalation: $500–$10,000
Starlink Dish, satellite, or other products
- Case-by-case, up to $25,000 (report directly, see above). When triaging vulnerabilities, some of the factors we consider are:
- Target (Dish, satellite, router, backend infrastructure, etc.)
- Access required (physical, local network, authenticated, etc.)
- Privileges gained on target
- Persistence on target
The payouts and scope are limited to “nondisruptive” testing, which does not affect user service or attack the infrastructure.
As per the Bugcrowd site, the average payout over the last three months has been $972.85.
Wouter’s attack was within the scope of the SpaceX bug bounty program, and he disclosed his hack to SpaceX.
According to reporting by Fortune and Wired, Wouter was paid by the program, but did not disclose the amount.