You are now leaving our website and entering a third-party website over which we have no control.
How to Report a Vulnerability
Responsible Disclosure Program
At TD, we are committed to maintaining the security of our systems and information. We appreciate the contribution that experts, researchers, and our customers make towards that goal. If you follow the requirements of this Policy (as defined below), we will consider your research activities to be authorized conduct.
If you believe you have identified a potential security vulnerability in a TD application, please submit a report to us.
Note: This is to report a potential security vulnerability in a TD application. If you instead need support with any other type of question, including a concern regarding potential fraud, please contact us.
While we appreciate your assistance with reporting potential security vulnerabilities, please note that TD does not currently operate a paid bug bounty program and makes no offer of reward or compensation in exchange for submitting a report.
Thank you in advance for your participation. We appreciate your assistance.
Guidelines
This policy ("Policy") sets out terms and conditions of TD's Responsible Disclosure Program (the "Program"). In order to protect you and us, we have established the following requirements to participate in the Program:
- Be at least 18 years of age or the age of majority in your jurisdiction (age at which a person is consider an adult) or have your parent or guardian’s permission to participate in the Program.
- Conduct research using only accounts that you own or with the express consent of the account holder.
- Comply with all applicable laws and regulations in connection with your research and participation in this Program.
- Do not engage in any activity that can harm TD, our customers, or our employees.
- Do not initiate or facilitate any fraudulent transactions.
- If you acquire or access TD information or customer data, including personal identifiable information (name, address, email, etc.), as part of conducting research for the Program, immediately stop the activity, delete all copies of the data and report to us using this submission form.
- Do not disclose any information related to your findings to any third parties or to the public without the prior written permission of TD.
- Do not engage in out-of-scope testing, including of: the physical security of TD property; social engineering attacks on TD customers or employees (e.g., phishing emails or sites); denial of service or resource exhaustion attacks; or mass scanning tools that rely on high traffic volumes, which may result in your IP(s) being blocked.
Legal Requirements
By submitting a report, you confirm that you have read, understand, agree to, and complied with the Policy. In addition, you agree that:
- TD may take all steps needed to validate and mitigate potential vulnerabilities;
- TD may share or disclose the findings;
- TD may collect, use, share or disclose any personal information you provide to TD as part of your report, in accordance with our Privacy Policy; and
- You grant TD any rights to your report needed to do any of the above.
Thank you again for your participation.