You are now leaving our website and entering a third-party website over which we have no control.
How to Report a Vulnerability
At TD, we are committed to maintaining the security of our systems and our customers’ information. We appreciate the contribution that experts, researchers, and our customers make towards that goal. If you believe you have identified a potential security vulnerability in a TD application, please notify us by sending an email to td.responsibledisclosure@td.com.
Note: This is to report a potential security vulnerability in a TD application. If you instead need support with any other type of question, including a concern regarding potential fraud, please contact our Customer Service team.
TD does not currently operate a paid bug bounty program and makes no offer of reward or compensation in exchange for submitting potential issues in accordance with the program outlined in this Policy.
Thank you in advance for your submission. We appreciate your assistance in our security efforts.
General Requirements
-
Only conduct research on publicly available content
-
Do not store, share, or compromise TD data
-
Do not initiate or facilitate any fraudulent transaction
-
Do not disclose potential vulnerabilities to any third parties or to the public without the prior written permission of TD
If permission is provided, coordinate the disclosure/release/publication of your finding with TD; and limit the content of your disclosure to reasonably avoid a person exploiting the vulnerability (e.g. do not disclose executable or proof-of-concept code to the public).
Scope
Any publicly-accessible systems owned, operated, and/or controlled by TD Bank Group including web applications, mobile applications, or services hosted on those systems are in-scope.
If you have questions about a specific domain or application that you would like to research, please contact TD.ResponsibleDisclosure@td.com.
This program is not permission for any of the following: Testing the physical security of TD property; Social engineering attacks on TD customers or employees (e.g., phishing emails or sites); Denial of service or resource exhaustion attacks; or mass scanning tools that rely on high traffic volumes, which may result in your IP(s) being blocked.
Legal Requirements
You must comply with all applicable laws in connection with your participation in this program.
If you conduct research and submit your findings to TD in accordance with this Policy, we will consider it authorized conduct.
TD reserves all legal rights with respect to any of the activities described in this policy.
By submitting your report to TD (your “Submission”), you agree that:
-
TD may take all steps needed to validate and mitigate the vulnerability;
-
TD may share or disclose the vulnerability as provided in this Policy;
-
TD may collect, use, share or disclose any personal information you provide to TD as part of your Submission; and
-
You grant TD any rights to your Submission needed to do any of the above.
Submitting a Report
TD is particularly interested in vulnerabilities from the OWASP Top 10 and/or vulnerabilities that have a demonstratable security impact. When reporting a potential vulnerability, please include a detailed description of your discovery, including:
-
The full URL.
-
Clear and concise steps taken.
-
Any tools used during discovery.
-
Objects possibly involved (e.g. filters or entry fields).
-
Evidence (e.g. screen captures welcome).
-
Your assessment of risk (CVSS 3.1 preferred).
-
The attack scenario, exploitability, and security impact of the vulnerability.
-
Any proposed solution (not required).
Please note that we do not request nor require executable copies of code.
By submitting a report to TD, you are indicating that you have read, understand, and agree to this Policy.
Please submit your report to: td.responsibledisclosure@td.com
Once TD receives your email, we will send an automatic email as acknowledgement. We will only make further contact with you if we need additional information to help investigate the issue.
TD will make reasonable efforts to timely investigate and close potential issues that have a demonstrated security impact, but for the protection of our customers, we may choose to not disclose, discuss, or confirm security issues.
Thank you again for your submission.