How to Report a Vulnerability

Responsible Disclosure Program

At TD, we are committed to maintaining the security of our systems and our customers’ information. We appreciate the contribution that experts, researchers, and our customers make towards that goal. If you believe you have identified a potential security vulnerability in a TD application, please notify us by submitting a report.

Note: This is to report a potential security vulnerability in a TD application. If you instead need support with any other type of question, including a concern regarding potential fraud, please contact our Customer Service team.

TD does not currently operate a paid bug bounty program and makes no offer of reward or compensation in exchange for submitting potential issues in accordance with the program outlined in this Policy.

Thank you in advance for your submission. We appreciate your assistance in our security efforts.

General Requirements

Only conduct research on publicly available content
Do not store, share, or compromise TD data
Do not initiate or facilitate any fraudulent transaction
Do not disclose potential vulnerabilities to any third parties or to the public without the prior written permission of TD.

If permission is provided, coordinate the disclosure/release/publication of your finding with TD; and limit the content of your disclosure to reasonably avoid a person exploiting the vulnerability (e.g. do not disclose executable or proof-of-concept code to the public).

Scope

Any publicly-accessible systems owned, operated, and/or controlled by TD Bank Group including web applications, mobile applications, or services hosted on those systems are in-scope.

This program is not permission for any of the following: Testing the physical security of TD property; Social engineering attacks on TD customers or employees (e.g., phishing emails or sites); Denial of service or resource exhaustion attacks; or mass scanning tools that rely on high traffic volumes, which may result in your IP(s) being blocked.

Submit a report

Legal Requirements

You must comply with all applicable laws in connection with your participation in this program.

If you conduct research and submit your findings to TD in accordance with this Policy, we will consider it authorized conduct.

TD reserves all legal rights with respect to any of the activities described in this policy.

By submitting your report to TD (your “Submission”), you agree that:

TD may take all steps needed to validate and mitigate the vulnerability;
TD may share or disclose the vulnerability as provided in this Policy;
TD may collect, use, share or disclose any personal information you provide to TD as part of your Submission; and
You grant TD any rights to your Submission needed to do any of the above.

Tools and resources

How we protect your online data

Secure technology to protect your online transactions
Ways to protect yourself from common frauds and scams

Recognize the signs and tactics of fraud and how you can protect yourself.
Report an email or online fraud

Alerting suspicious and/or unauthorized account activity.
Options for electronic communications

Update how TD communicates electronic messages to you
Reporting a vulnerability

Recommended guidance on reporting identified vulnerabilities
Frequently asked questions

Common questions about Internet Security

How to Contact Us

Phone

Branch representative:
1-800-430-6095

TD Auto Finance Questions (Canada):
1-866-694-4392

TD Insurance Questions:
1-888-791-5346
Mail

Customer Feedback, Toronto-Dominion Centre,
P.O. Box 193,
Toronto, ON M5K 1H6
Email and Fax

customerfeedback@td.com

Fax: 1-877-983-2932