Eutelsat
External Program
Submit bugs directly to this organization
Eutelsat
Eutelsat Group (OneWeb) looks forward to working with the security community to find vulnerabilities in order to keep our businesses and customers safe.
As a global Hybrid Satellite Network communications company powered from both Low Earth Orbit (LEO) and Geosynchronous Orbit (GEO), Eutelsat Group (OneWeb) is building an advanced hybrid satellite constellation to connect businesses, telecom, and governments with high speed, low-latency, internet connectivity. Eutelsat Group (OneWeb) brings secure, resilient connectivity, through a network of distribution partners, from pole to pole, across oceans and continents.
Eutelsat Group (OneWeb) will make a best effort to meet the following SLAs for security researchers participating in our program:
| Type of Response | SLA in business days |
|---|---|
| First Response | 5 days |
| Time to Triage | 10 days |
| Time to Bounty | 15 days |
| Time to Resolution | depends on severity and complexity |
We’ll try to keep you informed about our progress throughout the process.
Please note that many of our systems involve technologies from third parties, and so resolution time can be quite extended. However, we will always aim to award bounty once a report is verified as valid and severity has been confirmed.
All issues reported must have a demonstrated risk associated with the reported vulnerability. Issues such as information disclosure or XSS in non-production systems that cannot demonstrate a security risk will not be accepted. Eutelsat Group's (OneWeb) Offensive Engineering team will work with researchers to demonstrate risk if a researcher needs help with proving the impact.
Eutelsat Group (OneWeb) will always accept good faith security reporting without affecting the researchers HackerOne score. Any issues discovered in out-of-scope, but Eutelsat Group (OneWeb) owned services will be reviewed on a case by case basis. This includes any critical issues found in out-of-scope services. Critical issues in test or development environments are capped at a medium CVSS score. Unless the investigation reveals the access would allow further attacks into production systems or data. The final decision for accepting reports will be based on researchers proving an issue impacts Eutelsat Group's (OneWeb) security posture.
Researchers may test vulnerabilities where practical. Issues such as RCE should use a payload such as "whoami" for demonstration. XSS should use document.domain or any payload demonstrating the domain the JS code is called from.
We have several systems where products are exposed at different stages of their development cycle (e.g. dev.[product].oneweb.build vs. [product].oneweb.systems). Where these scenarios exist, we will generally regard all reports relating to the same [product] as duplicates, unless there are strong reasons to handle the reports separately.
Eutelsat Group (OneWeb) employs third party vendors and some domains may be managed by third parties. For such submissions, the response times for triage and bounty rewards may be impacted as we are dependent on communication with the relevant third party. Please note that acceptance of third party owned vulnerabilities is at the discretion of Eutelsat Group (OneWeb).
This refined scope ensures that researchers focus on vulnerabilities that can be clearly demonstrated to pose a substantial risk to Eutelsat Group (OneWeb).
Vulnerabilities leading to complete authentication bypass.
RCE vulnerabilities that could lead to full control over the application or server.
SQL injection vulnerabilities that have a high impact, such as unauthorized access to sensitive databases or data manipulation.
Vulnerabilities that allow an attacker to escalate privileges significantly, leading to unauthorized access to sensitive data or functions.
Vulnerabilities that enable unauthorized extraction or exposure of sensitive data (e.g., PII, financial data).
Demonstrable business logic flaws that result in unauthorized access or substantial harm.
Although we do not allow testing of DoS vulnerabilities, if an issue is discovered Eutelsat Group (OneWeb) will work with the researcher to discover the impact.
Vulnerabilities with minimal or theoretical risk, such as vulnerabilities with no Proof of Concept code.
Findings that require an employee, or contractor, of Eutelsat Group (OneWeb) to enable a vulnerability though user interaction. The exception is CSRF or other similar style vulnerabilities. Eutelsat Group (OneWeb) Offensive Engineering will work with the researcher to test the vulnerabilities in a controlled manner.
Findings that provide information about the application but do not demonstrate a security risk. Information disclosure vulnerabilities will be assessed on a case by case basis.
Vulnerabilities that have minimal impact on security and pose no significant risk.
Vulnerabilities that only affect outdated or unsupported software versions. Unless a demonstrated risk such as RCE with a PoC.
Vulnerabilities with patches that have only been publicly known for 2 months.
Vulnerabilities that cannot practically be exploited to demonstrate risk.
Non-technical issues such as legal, contractual, or policy violations.
Vulnerabilities in third-party services not owned or operated by Eutelsat Group (OneWeb). If a vulnerability is found within a third-party service these will be assessed on case by case basis.
Any activities conducted in a manner consistent with this policy will be considered authorized conduct and we will not initiate legal action against you. If legal action is initiated by a third party against you in connection with activities conducted under this policy, we will take steps to make it known that your actions were conducted in compliance with this policy.
Thank you for helping keep Eutelsat Group (OneWeb) and our users safe!