Skip to main content

The Star Entertainment Group Limited is committed to implementing appropriate security measures to protect its systems and data.

We encourage independent security researchers acting in good faith to inform us about any security vulnerability or related security issue they identify that affects us, subject to the rules below.

The Star acknowledges the important role that responsible security researchers play in identifying vulnerabilities so that affected organisations can address resolve or mitigate them before they can be exploited.

The following rules apply to your disclosure of a security vulnerability to us.

Entities covered by this Policy

This Policy applies to The Star Entertainment Group Limited ABN 85 149 629 023 and its subsidiaries including, for example, The Star Pty Limited ABN 25 060 510 410 and The Star Entertainment QLD Limited ABN 78 010 741 045 (collectively The Star or us).

Security vulnerabilities within scope of this Policy

A security vulnerability or related security issue that could allow an attacker to compromise the availability, integrity or confidentiality of one of The Star's systems, products or services is within the scope of this Policy.

You may report to us under this Policy:

  • Security vulnerabilities or security-related issues of which you become aware, relating to gambling technology that we use in our casinos; and

  • Security vulnerabilities or security-related issues affecting technology systems operated by The Star or operated for The Star by a third party

You are not authorised to actively look for issues relating to gambling technology used in our casinos.

You are not authorised to look for or test vulnerabilities affecting The Star or any third party, except as expressly permitted under this Policy.

Exclusions from scope of this Policy

  • You are not authorised under this Policy to look for issues relating to or arising from:

  • Physical security arrangements at any premises;

  • Social engineering activities (for example, phishing, smishing or impersonation);

  • Denial of service or other volume-based attacks.

You are not authorised under this Policy to:

  • Do anything that may degrade the performance of any of our systems;

  • Send electronic messages to any person without their consent;

  • Access data relating to any person other than yourself;

  • Amend, delete or extract any data from any system;

  • Post, deploy or otherwise use malware, viruses or malicious code;

  • Impersonate any other person;

  • Interrupt any of our services;

  • Conduct brute-force credential attacks (including password spraying);

  • Use automated vulnerability scanners to check systems; or

  • Breach any applicable law or regulation.

The following people are excluded from the scope of this Policy:

  • Employees or officers of The Star; and

  • Technology or security contractors engaged by The Star, their employees or any individuals they directly or indirectly engage for work relating to The Star.

How to report a vulnerability to us

You can report a security vulnerability to us by completing the form below.

Please describe the issue in detail and include any evidence you have. Your notification will be reviewed by specialists, so please provide all information that may help them understand and verify the issue. In your submission, please provide the following:

  • A short description of the vulnerability and the steps you took to identify the issue (screenshots and request samples are highly appreciated).

  • Details of the system, URL, page, endpoint or component that are affected by the vulnerability.

  • Whether any sensitive or personal data was exposed (if applicable).

  • A clear explanation of how the vulnerability could be misused or exploited in practice

  • Any other relevant information that may help us verify the issue

Handling a vulnerability

If you identify a security vulnerability:

  • You must not exploit it, including for any person's gain or for the detriment of The Star Entertainment Group or any other person.  Instead you should describe in your submission the "proof of concept" as to how the vulnerability could be exploited by an attacker.

  • A team of security specialists will review your submission and respond as soon as possible. Please allow them sufficient time to investigate the issue thoroughly and resolve it appropriately.

  • We encourage you to provide us with your full name and contact details.  Unless otherwise required by law or by a regulator, we will keep this information confidential.

  • If, during the course of your security testing, you encounter, access, or are able to view any sensitive information (including but not limited to personal data, financial information, patron details, employee information, or confidential business records), you must immediately stop all testing activities and notify us without delay. You must not copy, extract, download, store, share or disclose any such information in any form. Any accidental access must be reported promptly so we can take appropriate remediation steps.

Confidentiality

You must not disclose a security vulnerability you report to us to any other person, except to the extent:

  • You are required by law to do so;

  • The vulnerability comes into the public domain other than due to your breach of this obligation; or

  • We provide our prior written consent.

Recognition

If you are the first to inform us about a security vulnerability we don't already know about, we may decide to offer you recognition.

Recognition may take any form we consider appropriate, including a thankyou message, certificate of appreciation, gift, monetary award, or optional acknowledgement on our website. Recognition is discretionary and not guaranteed. When determining whether to offer you recognition, TSEG will consider:

  • The potential impact of the vulnerability on our business;

  • The quality, clarity, and completeness of your report; and

  • Whether the issue is sufficiently material to require a change to our systems or practices.

We may choose not to offer recognition where:

  • The issue is a duplicate of an existing report;

  • The issue is already known to TSEG;

  • The report does not comply with this Policy

  • The information provided is false, unverifiable, or obtained through unauthorised testing

  • The report is submitted in bad faith, including conduct such as extortion, threats, coercion, or any attempt to pressure TSEG into payment or favourable treatment

Queries

If you have any queries about this Policy or how it applies, please complete the form below.  If in doubt, please ask before taking any action to avoid any unintentional breaches of this Policy.


Changes to this Policy

We may amend this Policy from time to time.  We may also decide to revoke this Policy.

This version of this Policy is dated April 2026.