Responsible Disclosure Policy

The Star Entertainment Group Limited is committed to implementing appropriate security measures to protect its systems and data.

We encourage you to inform us about any security vulnerability you identify that affects us, subject to the rules below.

The Star acknowledges the important role that responsible security researchers play in identifying vulnerabilities so that affected organisations can address them.

The following rules apply to your disclosure of a security vulnerability to us.

Entities covered by this Policy

  1. This Policy applies to The Star Entertainment Group Limited ABN 85 149 629 023 and its subsidiaries including, for example, The Star Pty Limited ABN 25 060 510 410 and The Star Entertainment QLD Limited ABN 78 010 741 045 (collectively The Star or us).

Security vulnerabilities within scope of this Policy

  1. A security vulnerability that could allow an attacker to compromise the availability, integrity or confidentiality of one of The Star's systems, products or services is within the scope of this Policy.
  2. You may report to us under this Policy security issues of which you become aware, relating to gambling technology that we use in our casinos.  However you are not authorised to actively look for such issues.
  3. You are authorised to look for, and report to us, in accordance with this Policy any security vulnerabilities that affect any other technology systems operated by The Star or operated for The Star by a third party.
  4. You are not authorised by this Policy to look for security vulnerabilities that affect The Star or any third party, except as stated above.

Exclusions from scope of this Policy

  1. You are not authorised under this Policy to look for issues relating to or arising from:
    1. physical security arrangements at any premises;
    2. social engineering activities (for example, phishing); or
    3. denial of service or other volume-based attacks.
  2. You are not authorised under this Policy to:
    1. do anything that may degrade the performance of any of our systems;
    2. send electronic messages to any person without their consent;
    3. access data relating to any person other than yourself;
    4. amend, delete or extract any data from any system;
    5. post any virus or malware on any system or otherwise use, handle or deploy any virus or malware;
    6. impersonate any other person;
    7. interrupt any of our services;
    8. use automated vulnerability scanners to check systems; or
    9. breach any law.
  3. The following people are excluded from the scope of this Policy:
    1. employees and officers of The Star; and
    2. technology or security contractors engaged by The Star, their employees and any other individuals they directly or indirectly engage for work relating to The Star.

How to report a vulnerability to us

  1. You can report a security vulnerability to us by completing the form below.
  2. In your submission, please provide:
    1. A short description of the vulnerability.
    2. Details of the systems that are affected by the vulnerability.
    3. Details of the security impact of the vulnerability.  How could an attacker exploit it?
    4. Instructions on how we can reproduce or verify the vulnerability.
    5. Any suggestions you have about how to fix the vulnerability.
    6. Any other relevant information.
  3. If you identify a security vulnerability you must not exploit it, including for any person's gain or for the detriment of The Star or any other person.  Instead you should describe in your submission the "proof of concept" as to how the vulnerability could be exploited by an attacker.
  4. We will aim to acknowledge your report promptly.  If we consider the vulnerability material enough to make changes to our systems or practices, we will aim to let you know when we have done so.
  5. We encourage you to provide us with your full name and contact details.  Unless otherwise required by law or by a regulator we will keep this information confidential.

Confidentiality

  1. You must not disclose a security vulnerability you report to us to any other person, except to the extent:
    1. you are required by law to do so;
    2. the vulnerability comes into the public domain other than due to your breach of this obligation; or
    3. we provide our prior written consent.

Recognition

  1. If you are the first to inform us about a security vulnerability we don't already know about, we may decide to offer you recognition.
  2. Recognition may take any form we consider appropriate, for example naming you in our "Hall of Fame" on our website, providing you with a gift or providing you with a cash payment.  We may require you to enter a brief agreement with us as a condition of receiving recognition.
  3. When deciding whether to offer you recognition we will consider:
    1. the potential impact of the security vulnerability on our business;
    2. the quality of your report; and
    3. whether we consider the vulnerability material enough to make changes to our systems or practices.

Queries

  1. If you have any queries about this Policy or how it applies, please complete the form below.  If in doubt, please ask us to avoid any unintentional breach of this Policy.


Changes to this Policy

  1. We may amend this Policy from time to time.  We may also decide to revoke this Policy.
  2. This version of this Policy is dated September 2024.
Heading
Responsible Disclosure Form