Bug bounty programme?


#1

Hi there!

Couldn’t find any details about this so I thought I’d might as well ask here -
Is there some bug bounty program running for security flaws?
I’d love to poke around the software a bit and report in flaws I discover, but obviously I won’t do this if there isn’t an official program allowing this. Wouldn’t want to get caught trying to break into a bank without formal approval. :slight_smile:

If there isn’t such a program available yet, are you planning to launch one in the future?

And in general, where can I read more about Starling’s security model?

Cheers,
-T


#2

they probably have enough known bugs to worry about already :wink:


#3

They could do one without money, and just reward you with chocolate bars, t-shirts, etc.


#4

Not a bad idea… I think if serious security vulnerabilities are discovered, there should be financial rewards.


#5

I’d like to think the Starling team has security very high on its priority list. I’d also want to minimise the amount of chatter associated with any flaws found (other than in the development environment).


#6

Does amazon have a bug bounty programme? I know a lot of the big tech companies do.


#7

It serves multiple purposes, even recruitment


#8

Hi,

We don’t have a bug bounty program - but welcome general bug reports on the community if you spot anything.

Thanks for the idea, I’ll mention it to the team here.

Sarah


#9

Amazon has a few bug bounty programs, yes. AWS has a pretty big one, actually. Lots of work is done there.

And if we’re talking big tech in general, yes, many do. A good friend of mine is in charge of Facebook’s bug bounty program and they’re getting some pretty awesome results.


#10

Awesome, thanks!
Let us know if there are any updates on this. :slight_smile:


#11

Impressive. Not that I’d be able to discover security vulnerabilities :smile:


#12

Hi Tom, It is being considered but I don’t have much to tell you at this stage. Keep you posted.


#13

I’m sure if someone finds a critical flaw, they’ll find a way to ask politely for a bit of money, bounty programme or no.
:slight_smile:


#14

Have the same question about rewarded bug bounty program? maybe private bounty you have? i’m security researcher, and work in security company, not a guy from a side… I’m sure if i analyze part of a portals of starlingbank i will found some flaws, but as i said i am white guy, and do not do anythink without permission and possitive answer about bounty program…