Responsible Disclosure

Reporting Security Vulnerabilities

We support the security research community and welcome reports of vulnerabilities in our systems. We do not prosecute people who discover and report vulnerabilities to us responsibly. We treat all reports with high priority.

A security vulnerability is a weakness in the defenses of a network or application that could be used by an attacker to compromise the confidentiality, availability, or integrity of systems or data.  Security researchers, industry groups, government organizations, and vendors should report potential vulnerabilities to Avalara using the submission instructions below.  Customers of Avalara products or solutions and Avalara partners may use the submission instructions below or contact Avalara Technical Support to report potential vulnerabilities.

Security Vulnerability Submission

Vulnerability information is extremely sensitive.  When using email to report a potential security issue to Avalara Information Security, encrypt it using our PGP public key and direct those messages to information.security@avalara.com.

It is critical to include the following information in the email:

  • Your name and contact information
  • Organization (if applicable)
  • Avalara products/solutions and versions affected
  • A detailed description of the potential vulnerability
  • Supporting technical details, including descriptions or examples of exploit/attack code, packet captures, and steps to reproduce the issue
  • Any known information about live exploits
  • Your disclosure plans, if any
  • Your desire for public recognition

Responsible Disclosure

  • We ask that you report vulnerabilities to us before making them public.
  • Please wait until we notify you that your reported vulnerability has been resolved before disclosing it to others. We take security issues very seriously, and as you know, some vulnerabilities take longer to resolve than others.
  • Do not engage in security research that has the potential to damage our systems or does actual damage to our systems.
  • Never exploit a vulnerability you discover to view data without authorization or corrupt data.

If the Avalara Information Security and Engineering teams determine that a reported issue is a security vulnerability, these teams will collaborate to implement compensating controls, remediate the issue, and inform customers and the party or parties responsible for responsible disclosure as necessary based on the risk associated with the vulnerability.