You must comply with all applicable international, federal, state, provincial, and local laws and regulations in connection with your security research activities and your participation in this responsible disclosure program. Do not engage in any activity that violates (a) federal, state, or provincial laws or regulations or (b) the laws or regulations of any country where (i) data, assets or systems reside, (ii) data traffic is routed or (iii) you, the researcher, are conducting research activity.
If you conduct research and submit your findings to TD in accordance with this Policy, TD will not pursue civil legal action against you. TD considers activities conducted consistent with this policy to constitute "authorized" conduct under the Computer Fraud and Abuse Act and the Criminal Code of Canada.
NOTE: TD may still report actions or information that may otherwise constitute criminal or prohibited conduct to law enforcement or regulatory agencies, or as otherwise required by any applicable law.
TD may also report actions and information to third parties as required by its agreements with such parties. To the extent that any security research or vulnerability disclosure activity involves the networks, systems, information, applications, products, or services of a non-TD entity, that non-TD third party may independently determine whether to pursue legal action or remedies related to such activities.