In this policy, references to "Starling Bank", "us", "we" and "our" mean Starling Bank Limited, a company incorporated and registered in England and Wales, with registered company number 09092149 and with registered address at 5th Floor, London Fruit And Wool Exchange, 1 Duval Square, London, E1 6PW.

Responsible Disclosure Policy

It’s important that anybody is able to contact us, quickly and effectively, with security concerns or information pertinent to our customers’ privacy or the confidentiality, integrity or availability of our systems. Therefore we operate a responsible disclosure policy to help security professionals and others alert us swiftly with the minimum of fuss.

If you believe you have identified a vulnerability, please read through the submission terms below and use one of the means below to contact us.

The terms below apply to any website, application or service distributed by or hosted by Starling Bank or served under a domain name owned by Starling Bank.

You can use our email address or technical partner to alert us to:

  • vulnerabilities or breaches in our software or environments which threaten the confidentiality, integrity or availability of our data or our customers' data
  • "copycat" applications or phishing attacks even if they do not originate from Starling Bank sources
  • activity, discussion or data in any public forum which you believe constitutes a threat to Starling Bank or our customers

Responsibilities

At all times act responsibly and in the best interests of Starling Bank and our customers.

  • Do not break the law
  • Do not use social engineering techniques against our customers or staff
  • Do not put any Starling Bank or customer data at risk
  • Do be specific
  • Do provide a detailed and complete submission (masking or encrypting if necessary)
  • Do reference existing vulnerability information where relevant

It is important that we treat your communication as a responsible disclosure and not an attack or extortion. Following these guidelines will help to ensure that. We act decisively on attacks and extortion attempts including reporting them to the police.

How to disclose a security issue to us

Please use the sections below to make your submission.

By emailing or providing a disclosure to us, you agree to the terms of our Privacy Notice and that we can use your submission and its contents to ensure the security, integrity and reliable operation of our technology and business.

If you are uncomfortable sending any of the following content by email, you may mask or redact sensitive content or encrypt data using the PGP key included at the bottom of this page.

Your submission should contain:

  • clear description and evidence of the vulnerability (logs, screenshots, responses)
  • detailed steps to reproduce the issue
  • any platforms, operating systems, versions that are relevant
  • any relevant IP addresses or URLs
  • any supporting evidence you have collected (logging, tracing etc.)
  • your assessment of the exploitability or impact of the issue
  • your name, role (if appropriate) and contact details

Please preserve as much evidence as possible as we may need to examine it.

How we will respond

Our ability to respond quickly and effectively to important communication on this email address is important and therefore we take steps to manage spam and quickly identify the high quality submissions.

We discourage and will not respond to:

  • reports of generic vulnerabilities with no evidence of relevance to our systems
  • reports of any information already in the public domain
  • reports that are vague or non-actionable
  • anonymous reports

We will respond quickly and gratefully if we believe that you are faithfully reporting an issue in line with these terms and in the best interests of Starling Bank and its customers.

Recognition

We do not offer financial reward for submissions but we do believe in public recognition for anyone who helps us to ensure our systems and data are secure. We will not name you without your consent. If a public endorsement is appropriate we will discuss the details with you in advance.

We are actively working to put in place a bug bounty program that will facilitate and regulate financial reward for submissions but we cannot do so at this time.

Confidentiality

You must treat all information about our systems, staff or customers that comes into your possession or that you otherwise become aware of, which is not publicly available, as strictly confidential and not share or otherwise use it for any purpose other than emailing it to us as a submission as described above.

Submit a disclosure

Anyone can report an information security issue using our dedicated email address below.

Send us an email

Submit a technical disclosure

If you have in-depth technical details such as CVSS scoring, CWE references etc, you may prefer to make your submission via our technical form.

Make a disclosure

Other

If you are uncomfortable sending your submission by email, you may mask or redact sensitive content or encrypt data using the PGP key below.

-----BEGIN PGP PUBLIC KEY BLOCK-----

mQINBGfKyAoBEADMocQqQABAA9kvmXNcU423TWdcMrwY+Gn8QcgKXCvatXhkAazg
gNCekghwpIwRjXHS8RzWscXz23b7RJWqDEhgbz6WqKUmhSyMFZOXhYPRBSYsUwkH
ZHwt9fMdCwjakKRw+QKns3IYQNTG51JxJiVaWFXhDZU32pIZRPiILIzjd9ZB0RYz
d3cU3hifNW4qZmfovxEMm6wiLig/hJpNRzDZ1g46lEIdMH/oDEZTheDrfGjzEY/t
xjHT+S12IaUbr1Xmu+DRyR+UbwBRuaGhJ1CBD1gqw6S3x46bpKCyuFozTn+t+zHG
qyReCH3wSU1b4q19Ott9Ay3IolhhQME+c2OvVLKhnt42shVKcGx8Rv7b5KlXrGWq
wClNAwiQ4vPP3xfQRW7SeFEiQF9+0QDFABTdnOA1i8CLm8uxM/v40MSD8j9Bgqmy
eucNyargoJhVN67aa8mUQ+vx1u06TQ8oXLeaVtHkfEJO3VB2Yef/4qkkthk7whd2
vMZcZrz3f0hhQ63mWWLN6gykH4N07L4qgHJObX/VhQxdk/cXJAPIjtK66wjaZ/QG
WAwEjshNBd9i0EE0tjtNprBs/5EHBu4RcDxfz6sSdevUQDd/NjxljPPM2unro8pj
SnMLurtORpDQGhWZdzvNQ/2lhGsdc/G9gjrFDQKf8vUDsxMjMSpE89a7pQARAQAB
tDxSZXNwb25zaWJsZSBEaXNjbG9zdXJlIEdQRyBLZXkgPGRpc2Nsb3N1cmVAc3Rh
cmxpbmdiYW5rLmNvbT6JAlQEEwEIAD4WIQRKaokxGiaC1gldQZYaWVuRqLPaywUC
Z8rICgIbAwUJA8JnAAULCQgHAgYVCgkICwIEFgIDAQIeAQIXgAAKCRAaWVuRqLPa
y39rD/0RBJRQiPzW3tVNPfOCfyfOQ4AbDx7GYl92qU27aQA/yzUgwDryj1krsCjz
dd19h2/a+R821nkKbcENjWrTxWIvClgvHjd4wb/F293HD2miaHXRWFHmCuDHhEib
irYxTrRrbkvBs1IuRlrqwQD7btU1KfP5Trw/mHzIB6YGpHSJmrO4BqSGnz9AIyYI
iM9YbqIKqMhz0t3Snm9Mj+mnlnU+UslIhcFrcTe67n1LEa0+notHqd3Z9KN5hdco
q2FY/lrqU2jVUY9AADrtqhV+3NEE+0vBAkcRUoTIfa1fSjafb+92qz3l1qo49O8e
KkyaW5+VzKToqUdC9tPi3LwdYO1PDK4RoKGKEDW2B0ULItWbVRMN/H7nLeuweh0C
CzKrmT5GMvAmz+tKN3F4KKxHJzxG68LsZVMkXu8nRgLfwgKEexukY8Yesu3MEFUr
xnwXEkBAGeOgAyUec5hyRhND//XrqkDQEcq24cmZrBgrFdVRaRWKBj0v9n4plq3K
RCETAHbOx0V5PRHgv8u+hNc82EGKUEZz+djBryuJZ0RS1AbWA8GXaR3SJ9EzqEuR
WtTwg4NvOXf7y0ERK3kZfmjFrydIZc38wmauIVjWEW9aLU00unzlX2agElWkatNk
spaAbDHkqglPIVFTcjdI03yWILeW4Ab4NNRCKvoqHBK4Jw2fGLkCDQRnysgKARAA
tIISeBAKmcP5r5WL++KkpmaGSGjtHQ0yMvv3sH94CVfKBOZ86Ja4ykeUNswqeeNO
ENhTPlR7zYl0Mah8mk8Ni8aG6g3yQxNxOhNqUDMYze3yGSE0FFsmIncZ+NtCVozn
LMWJzTHXI7mWqgsf2tNwNr0ARwh2aRyZeu6EmrJPj7OmmQ6Ja6r0Hjp4N9O3z4hZ
c+rZAwKmy82LJO+IlHmEJi7rWNqJSGcIyxPs2nW1mJj5pLwsgjwLgtAtzPkuyj8x
X1cAxU57pdhP9YpPv3UNm8zHkLq3Ifu9cHdiEJHdVFWMUSQtjTV7zaawWek/s8Su
mRy6GdR0Lc3qhqPCeFfz4zDhox0R/mEmKzHTxOHQyD2kQu/wro6hXMO0hFgLSxML
cVhJOTFL1NUVsnodd9zZQOiUqNRhIQB4p6cnWbyTub90bTaNclziaXlg0lTvgf/R
YQ7MyhwctKfSP2cun/Bb5XiVKTMCfBl9sbdn+n6Lyi9pujbdvfe5z1WMcjJf3ImZ
EmJB3TOYkRcWTC7ErB7KqRCJWnxaYXgzOU9oA9XjVyCyu3viEKAlWjHDRJROVA0a
8p+zUw2LEGTB/Lkd22AiibfGwE2DwtXR2f8P0f+Zts5ztUxy9of+jY/3fMlG/9M9
jvrq6vAE89kK+jDBL1Wk0QQ34kqOLmNmTPoxoWxKs80AEQEAAYkCPAQYAQgAJhYh
BEpqiTEaJoLWCV1BlhpZW5Gos9rLBQJnysgKAhsMBQkDwmcAAAoJEBpZW5Gos9rL
PJ0P/35M+UHcU7OAmIyIHuiq9LuCVLfl+Xa0ALH9kSMWf3nqZ5awX/S31YTZNm7r
k7ha5dHbfn0RyWn6pWq/YNkZ0dxSM/4K7sNcOHQ7cfNbvxQn4cjVP6CGR27jgoI2
lzfvpeQZUdUv2FrvZO2+vRe2Y+pSKEI2tYJUiMy8U/3zX2Du/ew01ZGiPNX9TmbN
mQ4D02yH/Yvgllv303yVEHsHI8DokygKDcyq7A+AYUliGnUPepyGRhyKqRqPsJyT
TxY4SuutqRdhqBHxwHtK1vd9eVkO0IAWRtO/CXT55FaBbRkVQsoT4S/yVVwhv9AD
cox5BHCH+08H7YJVay2ZwW29D1CFBuivAg/ehHyICHtUxux7CVDt45GnchJnV56z
tb1UwpjgrKGZPJMIU7Gnt27DFGgox/efudGGAbDF0xKmGpJadtT9caeT1suTldLP
4SvHtjS5/c8ODKqcHsKA6xWd/491sy1yqnFm5x5CqScvM8XxgPk3hSKueWZNIrbF
GAlXMwUkEFs4vJCTKoaeTUZFip5QFDzk1/TY9k8HV62l1OLEbxyzPWLfnC54gEsv
eY3Ny599xHL9hDvRV8Yyl1g63eRDgwtPh/fDM/Xlp+R8mD/G2pVidO1Y8Z3PwhJo
UY1ATQeZdFxKV+2vP4Q2tcIvTVPy0oTRor6ABbNYnnPsjvPt
=jP+6
-----END PGP PUBLIC KEY BLOCK-----

Apply for a Starling bank account today and enjoy app-based banking at its best.

Start your application
Help