Skip to main content
Log In

How to Report a Vulnerability

Responsible Disclosure Program
 

At TD, we are committed to maintaining the security of our systems and information. We appreciate the contribution that experts, researchers, and our customers make towards that goal.  If you follow the requirements of this Policy (as defined below), we will consider your research activities to be authorized conduct.

If you believe you have identified a potential security vulnerability in a TD application, please submit a report to us in accordance with this Policy. If you have any questions or concerns about this Policy, please contact us at TD.ResponsibleDisclosure@td.com.

Note: This is to report a potential security vulnerability in a TD application. If you instead need support with any other type of question, including a concern regarding potential fraud, please contact us.

While we appreciate your assistance with reporting potential security vulnerabilities, please note that TD does not currently operate a paid bug bounty program and makes no offer of reward or compensation in exchange for submitting a report.

Thank you in advance for your participation. We appreciate your assistance.

Guidelines

This policy ("Policy") sets out terms and conditions of TD's Responsible Disclosure Program (the "Program"). In order to protect you and us, we have established the following requirements to participate in the Program:

  • Be at least 18 years of age or the age of majority in your jurisdiction (age at which a person is consider an adult) or have your parent or guardian’s permission to participate in the Program.
  • Conduct research using only accounts that you own or with the express consent of the account holder.
  • Comply with all applicable laws and regulations in connection with your research and participation in this Program.
  • Do not engage in any activity that can harm TD, our customers, or our employees.
  • Do not initiate or facilitate any fraudulent transactions.
  • If you acquire or access TD information or customer data, including personal identifiable information (name, address, email, etc.), as part of conducting research for the Program, immediately stop the activity, delete all copies of the data and report to us at TD.ResponsibleDisclosure@td.com.
  • Do not disclose any information related to your findings to any third parties or to the public without the prior written permission of TD.
  • Do not engage in out-of-scope testing, including of: the physical security of TD property; social engineering attacks on TD customers or employees (e.g., phishing emails or sites); denial of service or resource exhaustion attacks; or mass scanning tools that rely on high traffic volumes, which may result in your IP(s) being blocked.  

Submitting a Report

TD welcomes reports relating to any publicly accessible systems such as web applications, mobile applications, or services owned, operated, and/or controlled by The Toronto-Dominion Bank (including TD Bank Group and TD Bank, America's Most Convenient Bank). Please note that this does not include systems owned, operated, and/or controlled by TD Ameritrade.

If you have questions about a specific domain or application that you would like to research, please contact TD.ResponsibleDisclosure@td.com.

TD is particularly interested in findings relating to the OWASP Top 10 and/or potential vulnerabilities that may have a demonstrable security impact. When reporting a potential vulnerability, please include a detailed description of your finding(s), including:

  1. The full URL.
  2. Clear and concise steps taken.
  3. Any tools used during discovery.
  4. Objects possibly involved (e.g. filters or entry fields).
  5. Evidence (e.g. screen captures welcome).
  6. Your assessment of risk (CVSS 3.1 preferred).
  7. The attack scenario, exploitability, and security impact of the vulnerability.
  8. Any proposed solution (not required).

Please note that we do not request nor require executable copies of code.

Legal Requirements

By submitting a report, you confirm that you have read, understand, agree to, and complied with the Policy. In addition, you agree that:

  • TD may take all steps needed to validate and mitigate potential vulnerabilities;
  • TD may share or disclose the findings;
  • TD may collect, use, share or disclose any personal information you provide to TD as part of your report, in accordance with our Privacy Policy; and
  • You grant TD any rights to your report needed to do any of the above.

Thank you again for your participation.

Have a question? Find answers here

Popular Questions