Security is essential to Starlink’s mission and objectives. We value the input of hackers acting in good faith to help us maintain a high standard for the security and privacy for our subscribers and technology. This includes encouraging responsible vulnerability research and disclosure.
Starlink is a large and complex network that provides internet connectivity on a global scale. Therefore, it is essential to have multiple layers of defense to limit the overall impact of individual vulnerabilities. This defense-in-depth means that if a single layer is compromised, there are additional layers behind it that can mitigate and constrain the problem. Starlink only runs software on its devices that it has explicitly written, developed and tested itself within the company. More information on “secure boot” and other tools Starlink uses to protect against security vulnerabilities and compromises to its devices can be found here. Please also refer to Starlink’s Specifications, Service Plans and Limited Warranty documents for Brazil here. Starlink and its device manufacturers and distributors provide support for security updates related to its products for five (5) years, which has been the defined support period since Starlink began selling and distributing its products and services globally.
Updates will be provided periodically as updates are needed to address an identified security vulnerability or when adding a new security feature.
The Starlink Bug Bounty Program is a way for us to recognize and reward the valuable insights of security researchers who contribute to keeping our technology and company data secure. We invite you to report vulnerabilities, bugs, or security flaws you discover in our systems. By sharing your findings, you will play a crucial role in making our technology and security protocols safer for everyone. Detailed guidelines and rules for participation can be found on our Bug Bounty Program page.
To report a security vulnerability, please let us know immediately by submitting an encrypted report (information found on the Bug Bounty Program page). Information shared with us in this manner must be shared unconditionally. If you believe you've found any other issue that affects a satellite or other highly sensitive system, please stop and email vulnerabilityreporting@spacex.com using our GPG key to encrypt reports containing sensitive information, we will work with you to safely complete a proof of concept.
Starlink’s public support channel through which it informs the public about new vulnerabilities identified in is products and provides updates on mitigation measures and security fixes implemented to address the identified issue can be found on this website: https://bugcrowd.com/engagements/spacex/crowdstream.
Starlink also publishes updates to relevant security findings and measures taken to fix identified vulnerabilities on this website: https://www.starlink.com/updates.