SpaceX
Sr. Network Security Engineer (Firewalls)
Full details on LinkedIn
The complete job description, requirements, and application details are available on the original posting.
About SpaceX
SpaceX, or Space Exploration Technologies Corp., is a private aerospace and space transportation company founded in 2002 by Elon Musk. Based in Starbase, Texas, SpaceX aims to reduce the costs of space launches and facilitate the establishment of a self-sustaining human colony on Mars. As of 2025, it is recognized as the leading space launch provider globally, surpassing both private and national programs. The company designs, manufactures, and launches advanced rockets and spacecraft. Its notable products include the Falcon 1, Falcon 9, Falcon Heavy, Dragon spacecraft, Crew Dragon, and Starship. SpaceX also operates Starlink, a satellite communications service. The company has achieved significant milestones in commercial spaceflight, such as being the first private entity to send humans into orbit and successfully recover a spacecraft. SpaceX collaborates with major clients, including NASA and the U.S. Armed Forces, providing services for satellite launches and space missions.
Security at SpaceX
Compiled from public job postings, careers pages, and company materials. Data may not reflect current state — verify during interviews.
Security Philosophy
“SpaceX's AppSec mission is to be a "trusted partner to development and business teams"and to ensure "security considerations are addressed without slowing down delivery."They act as the "primary point of contact between Security Engineering and development teams"and are involved in "monitoring and responding to bug bounty submissions."Their risk philosophy includes "Experience with threat modeling and secure architecture design"and a "defense-in-depth"approach. Stated goals and pain points include "Experience with secure code development practices"and a need for "automation/scripting (Python, Bash, PowerShell)."Information regarding explicit public statements of a formal AppSec mission page, public security charter, or published risk appetite for AppSec is not publicly available.”
Security Team
Org Structure & Reporting Line: Information not publicly available regarding whether AppSec is centralized or embedded or its reporting chain (CISO vs CTO). Key Public-Facing Leaders: Drew Orsinger, Chief Security Officer, who "serves as the Chief Security Officer of SpaceX."Paul 'IX' Kemppainen is referenced as a former SpaceX security leader. Team Size Estimate (as_of:): Information not publicly available; no reliable headcount. Active AppSec Job Postings (as_of:): At least 3 publicly listed roles (e.g., Application Security Engineer, Sr. Application Security Engineer, Security Software Engineer). Common Skill/Tool Patterns: "monitoring and responding to bug bounty submissions,""automation/scripting (Python, Bash, PowerShell),"and "Experience with threat modeling and secure architecture design."Public materials do not list internal org chart, explicit reporting lines to CISO/CTO, or complete list of AppSec leaders; LinkedIn people profiles for AppSec-specific leads were not discoverable publicly.
Key Initiatives
- Security Champions Program: No Evidence Found.
- Shift Left in Practice: The AppSec team acts as the "primary point of contact between Security Engineering and development teams"and is involved in 'Design and build security infrastructure for Starlink.com'.
- Vulnerability Management Process: Intake includes "monitoring and responding to bug bounty submissions"with "Rewards ranging from $100 to $50,000.""75% of submissions are accepted or rejected within 6 days."For Triage/Remediation, SpaceX states, "we will not initiate or support legal action against you."Secure SDLC Artifacts: Involve "Experience with threat modeling and secure architecture design"and 'Design and build security infrastructure for Starlink.com'.
- Recent Initiatives (Last 6 Months): Job postings and bug bounty program activity indicate ongoing hiring and active vulnerability disclosure program updates.
- No separate public announcement of new internal AppSec tool rollouts located in last 6 months.
- No public, detailed vulnerability triage SLAs (e.g., MTTR, ticket ownership) for internal developer-facing remediation workflows beyond bug bounty response statistics.
Preparing for an AppSec interview?
Get the weekly briefing 2,000+ security pros trust.