Privacy and Security

Report a Vulnerability

How to Report a Vulnerability

At TD, we are committed to maintaining the security of our systems and our customers’ information. We appreciate the contribution that experts, researchers, and our customers make towards that goal. If you believe you have identified a potential security vulnerability in a TD application, please notify us by sending an email to td.responsibledisclosure@td.com.

Note: This is to report a potential security vulnerability in a TD application. If you instead need support with any other type of question, including a concern regarding potential fraud, please contact our Customer Service team.

TD does not currently operate a paid bug bounty program and makes no offer of reward or compensation in exchange for submitting potential issues in accordance with the program outlined in this Policy.

Thank you in advance for your submission. We appreciate your assistance in our security efforts.

General Requirements

Only conduct research on publicly available content
Do not store, share, or compromise TD data
Do not initiate or facilitate any fraudulent transaction
Do not disclose potential vulnerabilities to any third parties or to the public without the prior written permission of TD.

If permission is provided, coordinate the disclosure/release/publication of your finding with TD; and limit the content of your disclosure to reasonably avoid a person exploiting the vulnerability (e.g. do not disclose executable or proof-of-concept code to the public).

Scope

Any publicly-accessible systems owned, operated, and/or controlled by TD Bank Group including web applications, mobile applications, or services hosted on those systems are in-scope.

If you have questions about a specific domain or application that you would like to research, please contact TD.ResponsibleDisclosure@td.com.

This program is not permission for any of the following: Testing the physical security of TD property; Social engineering attacks on TD customers or employees (e.g., phishing emails or sites); Denial of service or resource exhaustion attacks; or mass scanning tools that rely on high traffic volumes, which may result in your IP(s) being blocked.

Legal Requirements

You must comply with all applicable laws in connection with your participation in this program.

If you conduct research and submit your findings to TD in accordance with this Policy, we will consider it authorized conduct.

TD reserves all legal rights with respect to any of the activities described in this policy.

By submitting your report to TD (your “Submission”), you agree that:

TD may take all steps needed to validate and mitigate the vulnerability;
TD may share or disclose the vulnerability as provided in this Policy;
TD may collect, use, share or disclose any personal information you provide to TD as part of your Submission; and
You grant TD any rights to your Submission needed to do any of the above.

Submitting a Report

TD is particularly interested in vulnerabilities from the OWASP Top 10 and/or vulnerabilities that have a demonstratable security impact. When reporting a potential vulnerability, please include a detailed description of your discovery, including:

The full URL.
Clear and concise steps taken.
Any tools used during discovery.
Objects possibly involved (e.g. filters or entry fields).
Evidence (e.g. screen captures welcome).
Your assessment of risk (CVSS 3.1 preferred).
The attack scenario, exploitability, and security impact of the vulnerability.
Any proposed solution (not required).

Please note that we do not request nor require executable copies of code.

By submitting a report to TD, you are indicating that you have read, understand, and agree to this Policy.

Please submit your report to: td.responsibledisclosure@td.com

Once TD receives your email, we will send an automatic email as acknowledgement. We will only make further contact with you if we need additional information to help investigate the issue.

TD will make reasonable efforts to timely investigate and close potential issues that have a demonstrated security impact, but for the protection of our customers, we may choose to not disclose, discuss, or confirm security issues.

Thank you again for your submission.

Tools and resources

How we protect your online data

Secure technology to protect your online transactions
Ways to protect yourself from common frauds and scams

Recognize the signs and tactics of fraud and how you can protect yourself.
Report an email or online fraud

Alerting suspicious and/or unauthorized account activity.
Options for electronic communications

Update how TD communicates electronic messages to you
Reporting a vulnerability

Recommended guidance on reporting identified vulnerabilities
Frequently asked questions

Common questions about Internet Security

How to Contact Us

Phone

Branch representative:
1-800-430-6095

TD Auto Finance Questions (Canada):
1-866-694-4392

TD Insurance Questions:
1-888-791-5346
Mail

Customer Feedback, Toronto-Dominion Centre,
P.O. Box 193,
Toronto, ON M5K 1H6
Email and Fax

customerfeedback@td.com

Fax: 1-877-983-2932