Scotiabank Responsible Disclosure Program (‘SRDP’) 

The trust we have earned from our customers is the most important asset we have, and we will never take it for granted. To maintain trust, we significantly invest in the people, processes and technology needed to keep our customers and their information safe. We also recognize the important role the security research community plays in helping protect the bank from cyber threats. The Scotiabank Responsible Disclosure Program (SRDP) provides the security research community a channel to communicate directly with Scotiabank to identify rare but possible vulnerabilities as we all work to maintain the security of the Scotiabank network (systems and data).

Reporting a Vulnerability

Please report all perceived vulnerabilities by email to SRDP@scotiabank.com. To aid our review, please include as much detail as possible in your report including, but not limited to:

  • The full URL.
  • Steps taken and any tools used.
  • Objects possibly involved (e.g. filters or entry fields).
  • Evidence (screen captures).
  • Your assessment of perceived risk.
  • Any proposed solution.

Scotiabank will acknowledge your email with an automatic reply.  We will contact you as required once we review your findings.  We appreciate all reports but may not be able to share specific investigative steps or resolution with you. 

Thank you for your submission.

Guidelines for Reporting  

To ensure a collaborative approach, please respect the guidelines set out below.

  1. You are contacting us in your personal capacity and are at least 18 years of age or have your parent or guardian’s permission to contact us.  
  2. You will not engage in any activity that could harm Scotiabank, our customers, employees, services and/or assets.
  3. You will not share, compromise or disclose any personally identifiable information.   
  4. You will only conduct security and vulnerability research with accounts you own or with the express consent of the account holder. You will not use social engineering or brute force methods to attempt to obtain confidential credentials.
  5. You agree to comply with all applicable laws and regulations in connection with your security research activities and your participation in SRDP.
  6. You will allow us a reasonable opportunity to investigate and respond prior to contacting anyone else about this matter. 

Services in Scope

Any Scotiabank owned web-site, web-service or mobile application that handles reasonably sensitive user data is intended to be in scope. Examples include virtually all content in the following domains:

  • scotiabank.com
  • scotiaonline.scotiabank.com
  • scotiaconnect.scotiabank.com
  • tangerine.ca
  • Scotiabank mobile application for iOS, Android