Banner object (1)

4190 policies in database
  Back Link to program      
Starling Bank Limited logo
Hall of Fame

Starling Bank Limited

It’s important that anybody is able to contact us, quickly and effectively, with security concerns or information pertinent to our customers’ privacy or the confidentiality, integrity or availability of our systems. Therefore we operate a responsible disclosure policy to help security professionals and others alert us swiftly with the minimum of fuss.

Response Targets

Starling Bank Limited will make a best effort to meet the following response targets for hackers participating in our program:

  • Time to first response (from report submit) - 2 days
  • Time to triage (from report submit) - 2 days

We’ll try to keep you informed about our progress throughout the process.

Disclosure Policy

At all times act responsibly and in the best interests of Starling Bank and our customers.

  • Do not break the law
  • Do not use social engineering techniques against our customers or staff
  • Do not put any Starling Bank or customer data at risk
  • Do be specific
  • Do provide a detailed and complete submission (masking or encrypting if necessary)
  • Do reference existing vulnerability information where relevant
  • Follow HackerOne's disclosure guidelines .

It is important that we treat your communication as a responsible disclosure and not an attack or extortion.

Program Rules

You agree to the terms of our Privacy Notice and that we can use your submission and its contents to ensure the security, integrity and reliable operation of our technology and business. Your submission should contain:

  • Clear description and evidence of the vulnerability (logs, screenshots, responses)
  • Detailed steps to reproduce the issue
  • Any platforms, operating systems, versions that are relevant
  • Any relevant IP addresses or URLs
  • Any supporting evidence you have collected (logging, tracing etc.)
  • Your assessment of the exploitability or impact of the issue
  • Your name, role (if appropriate) and contact details
  • Please preserve as much evidence as possible as we may need to examine it.

Our ability to respond quickly and effectively to important communication and in conjunction with hackerone, we take steps to manage spam and quickly identify high quality submissions.
We discourage and will not respond to:

  • reports of generic vulnerabilities with no evidence of relevance to our systems
  • reports of any information already in the public domain
  • reports that are vague or non-actionable We will respond quickly and gratefully if we believe that you are faithfully reporting an issue in line with these terms and in the best interests of Starling Bank and its customers.

Safe Harbor

Any activities conducted in a manner consistent with this policy will be considered authorized conduct and we will not initiate legal action against you. If legal action is initiated by a third party against you in connection with activities conducted under this policy, we will take steps to make it known that your actions were conducted in compliance with this policy.


You must treat all information about our systems, staff or customers that comes into your possession or that you otherwise become aware of, which is not publicly available, as strictly confidential and not share or otherwise use it for any purpose other than emailing it to us as a submission as described above.

Thank you for helping keep Starling Bank Limited and our users safe!

In Scope

Scope Type Scope Name





This program leverage 5 scopes, in 3 scopes categories.

FireBounty © 2015-2020

Legal notices