SpaceX Announces $25,000 Bug Bounty Program to Uncover Flaws in Starlink

Elon Musk’s SpaceX kicks off a Bug Bounty program after Belgian researcher blows open Starlink terminal with $25 homemade equipment.

Last Updated: August 19, 2022

SpaceX has announced bounties of up to $25,000 for researchers to discover and report bugs in its satellite constellation, Starlink. The extensive bug bounty program entails remuneration of up to $10,000 for finding flaws in its network and up to $25,000 for pointing out vulnerabilities in Starlink hardware such as dishes, satellites, etc.

The Starlink bug bounty was announced just a week after Belgian researcher Lennert Wouters demonstrated a voltage fault injection attack on the Starlink internet system at Black Hat USA. Wouters successfully hacked the satellite dish, called Starlink User Terminal (UT), using a homemade modchip that cost just $25 to assemble.

Besides the UT, the Starlink systems have two major parts, satellites and gateways (that send internet connections). Wouters, a researcher at KU Leuven, took his customized homemade equipment and soldered it with Starlink’s power circuit board to short it and then gain root access to UT.

“From a security standpoint, this is a well designed product. There was no obvious low-hanging fruit,” Wouters clarified on stage. SpaceX paid an undisclosed amount to Wouters, who now sits at #2 in the SpaceX/Starlink bug bounty Hall of FameOpens a new window .

By August 2022, SpaceX had launched approximately 3,055Opens a new window of the planned 12,000 satellites since 2018, making Starlink the world’s largest satellite constellation. It provides internet connectivity to hard-to-reach places on Earth with a user base spread across 37 countries, including war-torn Ukraine.

The minimum bounty white hats can expect is $100. The bugs are categorized under two Starlink components: web/network and Starlink dish, satellite and other hardware. The payout is further classified within each component based on the type of vulnerability discovered.

See More: U.S. DoJ Says It Won’t Prosecute Ethical Hackers Under CFAAOpens a new window

Starlink Bug Bounty Program:

Web/Network Targets

Starlink Dish, Satellite, Other Products
Vulnerability Type Reward Vulnerability Type

Reward

Remote Code Execution (RCE)

Up to $10,000 Case-by-case basis on:
  • Target (Dish, satellite, router, backend infrastructure, etc.)
  • Access required (physical, local network, authenticated, etc.)
  • Privileges gained on target
  • Persistence on target
Up to $25,000
SQL injection (SQLi)

$500–$10,000

Cross Site Scripting

$100–$1,000
Cross-Site Request Forgery (CSRF)

$100–$500

Authentication Bypass

Up to $10,000
Horizontal Privilege Escalation

$500-$3,000

Vertical Privilege Escalation

$500–$10,000

The vulnerability discovered by Wouters is due to the “minimal set of privileges” that Starlink UT needs to operate as intended. And since Wouters had physical access and the nature of the hack not being remote, there’s little that SpaceX could do.

Nevertheless, the point is that it can be hacked, which is why the Elon Musk-headed company is calling on security researchers to “bring on the bugs.”

Security researchers have applauded SpaceX’s response to Wouters’ discovery.

White hat bug research under the said bug bounty program is exempt from the Digital Millennium Copyright Act (DMCA), SpaceX said, since it penalizes circumvention of technology controls. Researchers also need not worry about any legal action from SpaceX under the Computer Fraud and Abuse Act (CFAA) (and/or similar state laws) for accidental, good faith violations and the company’s terms & conditions.

The only caveat is that researchers must adhere to the Responsible Disclosure Guidelines stated on SpaceX/Starlink’s centralized bug reporting page on BugcrowdOpens a new window .

Let us know if you enjoyed reading this news on LinkedInOpens a new window , TwitterOpens a new window , or FacebookOpens a new window . We would love to hear from you!

MORE ON SECURITY VULNERABILITIES

Sumeet Wadhwani
Sumeet Wadhwani

Asst. Editor, Spiceworks Ziff Davis

An earnest copywriter at heart, Sumeet is what you'd call a jack of all trades, rather techs. A self-proclaimed 'half-engineer', he dropped out of Computer Engineering to answer his creative calling pertaining to all things digital. He now writes what techies engineer. As a technology editor and writer for News and Feature articles on Spiceworks (formerly Toolbox), Sumeet covers a broad range of topics from cybersecurity, cloud, AI, emerging tech innovation, hardware, semiconductors, et al. Sumeet compounds his geopolitical interests with cartophilia and antiquarianism, not to mention the economics of current world affairs. He bleeds Blue for Chelsea and Team India! To share quotes or your inputs for stories, please get in touch on sumeet_wadhwani@swzd.com
Take me to Community
Do you still have questions? Head over to the Spiceworks Community to find answers.