You are now leaving our website and entering a third-party website over which we have no control.
Privacy and Security
How to Report a Vulnerability
At TD, we are committed to maintaining the security of our systems and our customers’ information. We appreciate the contribution that experts, researchers, and our customers make towards that goal. If you believe you have identified a potential security vulnerability in a TD application, please notify us by sending an email to email@example.com.
Note: This is to report a potential security vulnerability in a TD application. If you instead need support with any other type of question, including a concern regarding potential fraud, please contact our Customer Service team.
TD does not currently operate a paid bug bounty program and makes no offer of reward or compensation in exchange for submitting potential issues in accordance with the program outlined in this Policy.
Thank you in advance for your submission. We appreciate your assistance in our security efforts.
- Only conduct research on publicly available content
- Do not store, share, or compromise TD data
- Do not initiate or facilitate any fraudulent transaction
- Do not disclose potential vulnerabilities to any third parties or to the public without the prior written permission of TD.
If permission is provided, coordinate the disclosure/release/publication of your finding with TD; and limit the content of your disclosure to reasonably avoid a person exploiting the vulnerability (e.g. do not disclose executable or proof-of-concept code to the public).
Any publicly-accessible systems owned, operated, and/or controlled by TD Bank Group including web applications, mobile applications, or services hosted on those systems are in-scope.
If you have questions about a specific domain or application that you would like to research, please contact TD.ResponsibleDisclosure@td.com.
This program is not permission for any of the following: Testing the physical security of TD property; Social engineering attacks on TD customers or employees (e.g., phishing emails or sites); Denial of service or resource exhaustion attacks; or mass scanning tools that rely on high traffic volumes, which may result in your IP(s) being blocked.
You must comply with all applicable laws in connection with your participation in this program.
If you conduct research and submit your findings to TD in accordance with this Policy, we will consider it authorized conduct.
TD reserves all legal rights with respect to any of the activities described in this policy.
By submitting your report to TD (your “Submission”), you agree that:
- TD may take all steps needed to validate and mitigate the vulnerability;
- TD may share or disclose the vulnerability as provided in this Policy;
- TD may collect, use, share or disclose any personal information you provide to TD as part of your Submission; and
- You grant TD any rights to your Submission needed to do any of the above.