Responsible Disclosure

At Avalara, we work hard to protect our products and services against security threats. We’re committed to partnering with the security community to find security vulnerabilities through our Vulnerability Disclosure Program. We appreciate your help in keeping our business and customers safe.

This page recognizes the individuals or organizations that helped protect our customers 2018 through 2022. All future pieces of recognition will be located at our VDP Thanks page.

May 2018: Markus Schirp and others at Fractional acknowledged for an insecure direct object reference issue.
August 2019: Kasper Karlsson from Omegapoint acknowledged for reporting multiple web application vulnerabilities.
August 2019: Abhishek Misal recognized for identifying a user interface redress vulnerability.
September 2019: Rituraj Vishwakarma recognized for identifying a web application vulnerability.
September 2019: Aditya Shende recognized for reporting a public GitHub repository.
September 2019: Manikandan Rajakumar recognized for reporting public GitHub repositories.
October 2019: Mohammed Mido recognized for reporting public GitHub repositories.
October 2019: Tolesh Kumar recognized for reporting an open redirect vulnerability.
October 2019: Rahad Chowdhury recognized for identifying a web application injection vulnerability.
October 2019: Rupesh Kokare recognized for identifying a user interface redress vulnerability.
October 2019: Anurag Kumar recognized for reporting a cross site scripting vulnerability.
November 2019: Abin Joseph recognized for identifying a open redirect vulnerability.
December 2019: Harsh D Ranjan recognized for reporting an HTML injection vulnerability.
January 2020: Aniruddha Khadse recognized for reporting a public GitHub repository.
March 2020: Mohsin Kahn recognized for reporting a web application vulnerability.
May 2020: Suvarnesh K M recognized for reporting a cross site scripting vulnerability.
August 2020: Pulkit Pandey recognized for reporting private sites exposed to the public.
August 2020: Kaustubh Kale recognized for reporting a clickjacking vulnerability.
November 2020: Isa Ghojaria is recognized for reporting a sensitive data exposure issue.
December 2020: Priyanshu Upadhyay Found a web portal not fully protected by an SSL certificate.
January 2021: Parshwa Bhavsar is recognized for reporting a clickjacking vulnerability.
August 2020: Pulkit Pandey recognized for reporting private sites exposed to the public.
March 2021: Dhanumaalaian recognized for reporting a vulnerability in http headers.
July 2021: Aditya Singh is recognized for reporting a Host Header Injection on site https://www.avalara.com
July 2021: "Kannan G" recognized for reporting a high severity vulnerability in Apache Server.
August 2021: shathishsurya@gmail.com is recognized for reporting a Clickjacking on Tax Codes Search | Avalara
November 2021: Amaranath Moger is recognized for reporting a Clickjacking vulnerability.
November 2021: Akshay kerkar recognized for reporting a DMARC Issue.
December 2021: Deha Berkin Bir recognized for reporting a cross site scripting vulnerability.
December 2021: Amit Kumar Biswas recognized for reporting a clickjacking vulnerability.
December 2021: Deha Berkin Bir recognized for reporting a Non-Self Reflected XSS vulnerability.
December 2021: J Jebarson Immanuel is recognized for reporting a sensitive data exposure issue.
December 2021: Asmina recognized for reporting a clickjacking vulnerability.
November 2021: Hrithik Mishra is recognized for reporting a Kubernetes metrics exposed issue.
November 2021: Hrithik Mishra is recognized for reporting an Apache Server-Status Disclosure issue.
April 2022: Tinu Tomy is recognized for reporting a Clickjacking vulnerability
April 2022: Meet Narkhede is recognized for reporting a Clickjacking vulnerability
April 2022: Suthar Govind is recognized for reporting a Clickjacking vulnerability
April 2022:  VIPIN K R is recognized for reporting a sensitive information disclosure
August 2022: Kumaragurubaran T K is recognized for reporting a sensitive data exposure issue.
August 2022: Sachin Sharma is recognized for reporting a sensitive data exposure issue.