How to Report a Vulnerability


General Requirements

You must research and disclose potential vulnerabilities in accordance with this entire Policy, including the following requirements:
  • Do not engage in any activity that can potentially or actually cause harm to TD, our customers, or our employees
  • Do not engage in any activity that can potentially or actually stop or degrade TD's services or assets
  • Do not store, share, compromise, or destroy TD or customer data. If personally identifiable information ("PII") is encountered, you should immediately halt your activity, purge related data from your system, and immediately contact TD
  • Do not initiate or facilitate any fraudulent transaction
  • Only conduct security and vulnerability research with accounts you own or with the explicit, written permission of the account holder
  • Do not conduct security and vulnerability research through any Out of Scope Activities or Vulnerabilities (listed below)
  • Do not disclose any potential vulnerability to any third party or to the public without the prior written permission of TD
  • Coordinate disclosure/release/publication of your finding with TD
  • To the extent we give you permission to disclose any potential vulnerability to a third party or to the public, limit the content of your disclosure to reasonably avoid a person exploiting the vulnerability (e.g. do not disclose executable or proof-of-concept code to the public)

Out of Scope Activities and Vulnerabilities

Certain research activities and vulnerabilities are out of scope for this Policy. Out of Scope Activities and Vulnerabilities include, but are not limited to:
  • Physical testing
  • Social engineering (e.g., attempts to steal cookies and fake login pages to collect credentials)
  • Phishing
  • Denial of service attacks
  • Resource exhaustion attacks

Submitting a Report

When reporting a potential vulnerability, please include a detailed description of your discovery, including:
  • The full URL
  • Clear and concise steps taken
  • Any tools used during discovery
  • Objects possibly involved (e.g. filters or entry fields)
  • Evidence (e.g. screen captures welcome)
  • Your assessment of risk/exploitability (CVSS 3.0 preferred)
  • Any proposed solution (not required)
  • Do NOT include executable copies of code
back to top