Scotiabank Responsible Disclosure Program (‘SRDP’) 

The trust we have earned from our customers is the most important asset we have, and we will never take it for granted. To maintain trust, we significantly invest in the people, processes and technology needed to keep our customers and their information safe. We also recognize the important role the security research community plays in helping protect the bank from cyber threats. The Scotiabank Responsible Disclosure Program (SRDP) provides the security research community a channel to communicate directly with Scotiabank to identify rare but possible vulnerabilities as we all work to maintain the security of the Scotiabank network (systems and data).

Reporting a Vulnerability

Please report all perceived vulnerabilities by email to SRDP@scotiabank.com. To aid our review, please include as much detail as possible in your report including, but not limited to:

• The full URL.
• Steps taken and any tools used.
• Objects possibly involved (e.g. filters or entry fields).
• Evidence (screen captures).
• Your assessment of perceived risk.
• Any proposed solution.

Scotiabank will acknowledge your email with an automatic reply.  We will contact you as required once we review your findings.  We appreciate all reports but may not be able to share specific investigative steps or resolution with you.

Thank you for your submission.

Guidelines for Reporting  

To ensure a collaborative approach, please respect the guidelines set out below.

1. You are contacting us in your personal capacity and are at least 18 years of age or have your parent or guardian’s permission to contact us. 
2. Research and reporting must be done in good faith, and not for malicious or exploitative purposes.
3. You will not engage in any activity that could harm Scotiabank, our customers, employees, services and/or assets.
4. You will not share, compromise or disclose any personally identifiable information.  
5. You will only conduct security and vulnerability research with accounts you own or with the express consent of the account holder. You will not use social engineering or brute force methods to attempt to obtain confidential credentials.
6. You agree to comply with all applicable laws and regulations in connection with your security research activities and your participation in SRDP.
7. You will allow us a reasonable opportunity to investigate and respond prior to contacting anyone else about this matter.
8. You understand that participation in the program and submit possible findings does not grant you any intellectual property rights over the bank’s systems.
9. You understand that this program is voluntary, and participation does not entitle you to any compensation, reward, or employment.

Services in Scope

Any Scotiabank owned website, web service or mobile application that handles reasonably sensitive user data is intended to be in scope. Only vulnerabilities related to publicly accessible bank assets are in scope. This includes both unauthenticated pages and customer-authenticated portals that customers can access with their credentials, but does not include pages, roles, tools, or environments not intended for public or customer use, that require Scotiabank employee or contractor credentials, administrative permissions, or access via Scotiabank-managed internal networks.

Examples of publicly accessible bank assets include virtually all content in the following domains:

• scotiabank.com
• scotiaonline.scotiabank.com
• scotiaconnect.scotiabank.com
• tangerine.ca
• Scotiabank mobile application for iOS, Android

Additional Notes on the Program

Timelines: After submission, the following will take place

• You will receive an acknowledgment email within 5 business days of submission.
• Our evaluation team will provide a determination or request for further information within 10–15 business days.
• If the vulnerability is confirmed, resolution may take up to 90 days, depending on complexity.
• We will keep you informed throughout the process and notify you upon resolution

By participating in this program, you confirm that you have read, understood, and agree to these guidelines.  Failure to follow these guidelines may result in legal action or disqualification from the program. 

Scotiabank makes no warranties, express or implied, guarantees or conditions with respect to the program and assumes no liability for any consequences that may result from your participation. You understand that your participation in the program is entirely voluntary and at your own risk.  

You may want to break this clause into stages for transparency: 

• You will receive an acknowledgment email within 5 business days of submission.
• Our evaluation team will provide a determination or request for further information within 10–15 business days.
• If the vulnerability is confirmed, resolution may take up to 90 days, depending on complexity.
• We will keep you informed throughout the process and notify you upon resolution.