Responsible Disclosure

Reporting Security Vulnerabilities

We support the security research community and welcome reports of vulnerabilities in our systems. We do not prosecute people who discover and report vulnerabilities to us responsibly. We treat all reports with high priority.

A security vulnerability is a weakness in the defenses of a network or application that could be used by an attacker to compromise the confidentiality, availability, or integrity of systems or data. Security researchers, industry groups, government organizations, and vendors should report potential vulnerabilities to Avalara using the submission instructions below. Customers of Avalara products or solutions and Avalara partners may use the submission instructions below or contact Avalara Technical Support to report potential vulnerabilities.

Please note, Avalara does not offer a bug bounty program or compensation for disclosure.

Security Vulnerability Submission

Vulnerability information is extremely sensitive. When using email to report a potential security issue to Avalara Information Security, encrypt it using our PGP public key and direct those messages to

It is critical to include the following information in the email:

  • Your name and contact information
  • Organization (if applicable)
  • Avalara products/solutions and versions affected
  • A detailed description of the potential vulnerability
  • Supporting technical details, including descriptions or examples of exploit/attack code, packet captures, and steps to reproduce the issue
  • Any known information about live exploits
  • Your disclosure plans, if any
  • Your desire for public recognition

Responsible Disclosure

  • We ask that you report vulnerabilities to us before making them public.
  • Please wait until we notify you that your reported vulnerability has been resolved before disclosing it to others. We take security issues very seriously, and as you know, some vulnerabilities take longer to resolve than others.
  • Do not engage in security research that has the potential to damage our systems or does actual damage to our systems. This includes any activity that has an impact to the availability of our systems, including the use of vulnerability scanning tools.
  • Never exploit a vulnerability you discover to view data or alter data without authorization.

If the Avalara Information Security and Engineering teams determine that a reported issue is a security vulnerability, these teams will collaborate to implement compensating controls, remediate the issue, and inform customers and the party or parties responsible for responsible disclosure as necessary based on the risk associated with the vulnerability.



Avalara would like to thank the following individuals or organizations for working with us to help protect our customers.

May 2018: Markus Schirp and others at Fractional acknowledged for an insecure direct object reference issue.
August 2019: Kasper Karlsson from Omegapoint acknowledged for reporting multiple web application vulnerabilities.
August 2019: Abhishek Misal recognized for identifying a user interface redress vulnerability.
September 2019: Rituraj Vishwakarma recognized for identifying a web application vulnerability.
September 2019: Aditya Shende recognized for reporting a public GitHub repository.
September 2019: Manikandan Rajakumar recognized for reporting public GitHub repositories.
October 2019: Mohammed Mido recognized for reporting public GitHub repositories.
October 2019: Tolesh Kumar recognized for reporting an open redirect vulnerability.
October 2019: Rahad Chowdhury recognized for identifying a web application injection vulnerability.
October 2019: Rupesh Kokare recognized for identifying a user interface redress vulnerability.
October 2019: Anurag Kumar recognized for reporting a cross site scripting vulnerability.
November 2019: Abin Joseph recognized for identifying a open redirect vulnerability.
December 2019: Harsh D Ranjan recognized for reporting an HTML injection vulnerability.
January 2020: Aniruddha Khadse recognized for reporting a public GitHub repository.
March 2020: Mohsin Kahn recognized for reporting a web application vulnerability.
May 2020Suvarnesh K M recognized for reporting a cross site scripting vulnerability.
August 2020: Pulkit Pandey recognized for reporting private sites exposed to the public.
August 2020: Kaustubh Kale recognized for reporting a clickjacking vulnerability.
November 2020: Isa Ghojaria is recognized for reporting a sensitive data exposure issue.
December 2020: Priyanshu Upadhyay Found a web portal not fully protected by an SSL certificate.
January 2021: Parshwa Bhavsar is recognized for reporting a clickjacking vulnerability.
August 2020: Pulkit Pandey recognized for reporting private sites exposed to the public.
March 2021: Dhanumaalaian recognized for reporting a vulnerability in http headers.
July 2021: Aditya Singh is recognized for reporting a Host Header Injection on site
July 2021: "Kannan G" recognized for reporting a high severity vulnerability in Apache Server.
August 2021: is recognized for reporting a Clickjacking on Tax Codes Search | Avalara