How to Report a Vulnerability


At TD, we are committed to maintaining the security of our systems and our customers’ information. We encourage security researchers to contact us to report potential vulnerabilities identified in any product, system, or asset belonging to TD Bank Group and any of its subsidiaries and affiliates (collectively, "TD"). Please note that, for purposes of this Policy, TD Ameritrade® is not included.

If you believe you have identified a potential TD security vulnerability, please notify us by submitting it pursuant to this Responsible Disclosure Policy ("Policy").

Thank you in advance for your submission. We appreciate your assistance in our security efforts.

General Requirements

You must research and disclose potential vulnerabilities in accordance with this entire Policy, including the following requirements:

  1. Do not engage in any activity that can potentially or actually cause harm to TD, our customers, or our employees

  2. Do not engage in any activity that can potentially or actually stop or degrade TD's services or assets

  3. Do not store, share, compromise, or destroy TD or customer data. If personally identifiable information ("PII") is encountered, you should immediately halt your activity, purge related data from your system, and immediately contact TD

  4. Do not initiate or facilitate any fraudulent transaction

  5. Only conduct security and vulnerability research with accounts you own or with the explicit, written permission of the account holder

  1. Do not conduct security and vulnerability research through any Out of Scope Activities or Vulnerabilities (listed below)

  2. Do not disclose any potential vulnerability to any third party or to the public without the prior written permission of TD

  3. Coordinate disclosure/release/publication of your finding with TD

  4. To the extent we give you permission to disclose any potential vulnerability to a third party or to the public, limit the content of your disclosure to reasonably avoid a person exploiting the vulnerability (e.g. do not disclose executable or proof-of-concept code to the public)

Researcher Requirements

You also agree that:

  1. You are reporting in an individual capacity or, if employed by another company, you have that company’s written approval to submit a report to TD

  2. You are not an employee or contractor of TD

  3. You are at least 18 years of age, and, if considered a minor in your place of residence, you have your parent’s or legal guardian’s permission prior to reporting

Out of Scope Activities and Vulnerabilities

Certain research activities and vulnerabilities are out of scope for this Policy. Out of Scope Activities and Vulnerabilities include, but are not limited to:

  1. Physical testing

  2. Social engineering (e.g., attempts to steal cookies and fake login pages to collect credentials)

  3. Phishing

  1. Denial of service attacks

  2. Resource exhaustion attacks

Legal Requirements

You must comply with all applicable international, federal, state, provincial, and local laws and regulations in connection with your security research activities and your participation in this responsible disclosure program. Do not engage in any activity that violates (a) federal, state, or provincial laws or regulations or (b) the laws or regulations of any country where (i) data, assets or systems reside, (ii) data traffic is routed or (iii) you, the researcher, are conducting research activity.

If you conduct research and submit your findings to TD in accordance with this Policy, TD will not pursue civil legal action against you. TD considers activities conducted consistent with this policy to constitute "authorized" conduct under the Computer Fraud and Abuse Act and the Criminal Code of Canada.

NOTE: TD may still report actions or information that may otherwise constitute criminal or prohibited conduct to law enforcement or regulatory agencies, or as otherwise required by any applicable law.

TD may also report actions and information to third parties as required by its agreements with such parties. To the extent that any security research or vulnerability disclosure activity involves the networks, systems, information, applications, products, or services of a non-TD entity, that non-TD third party may independently determine whether to pursue legal action or remedies related to such activities.

To the extent inconsistent with any of our product, system, or other asset terms of use, this Policy shall control. TD reserves all legal rights in the event of noncompliance with this Policy, as well as all other rights to the extent not specifically waived in this Policy.

By submitting your report to TD (your “Submission”), you agree that:

  1. TD may take all steps needed to validate and mitigate the vulnerability,

  2. TD may share or disclose the vulnerability as provided in this Policy,

  3. TD may collect, use, share or disclose any personal information you provide to TD as part of your Submission, and

  4. You grant TD any rights to your Submission needed to do any of the above.

Please note that TD does not currently operate a public bug bounty program. We make no offer of reward or compensation in exchange for submitting potential issues in accordance with the program outlined in this Policy.

Submitting a Report

When reporting a potential vulnerability, please include a detailed description of your discovery, including:

  1. The full URL

  2. Clear and concise steps taken

  3. Any tools used during discovery

  4. Objects possibly involved (e.g. filters or entry fields)

  1. Evidence (e.g. screen captures welcome)

  2. Your assessment of risk/exploitability (CVSS 3.0 preferred)

  3. Any proposed solution (not required)

  4. Do NOT include executable copies of code

By submitting a report to TD, you are indicating that you have read, understand, and agree to this Policy.

Please submit your report to: td.responsibledisclosure@td.com

Once TD receives your email, we will send an automatic email as acknowledgement. We will only make further contact with you if we need further information to help investigate the issue.

TD will make reasonable efforts to timely investigate and close potential issues, but for the protection of our customers, we may choose to not disclose, discuss, or confirm security issues.

Thank you again for your submission.

Have a question? Find answers here