Details

#Welcome to Avalara!

Avalara helps businesses of all sizes get tax compliance right. In partnership with leading ERP, accounting, ecommerce, and other financial management system providers, Avalara delivers cloud-based compliance solutions for various transaction taxes, including sales and use, VAT, GST, excise, communications, lodging, and other indirect tax types.

At Avalara, we work hard to protect our products and services against security threats. We’re committed to partnering with the security community to find security vulnerabilities through our Vulnerability Disclosure Program. We appreciate your help in keeping our business and customers safe.

We will recognize the first security researcher who reports a valid and unknown-to-us vulnerability once the vulnerability is verified and addressed. We do not offer compensation for disclosures at this time.

Conduct Guidelines

When researching and disclosing a vulnerability, please:

Provide a detailed report with reproducible steps.
Submit one vulnerability per report, unless you need to chain vulnerabilities to provide an impact.
Comply with all applicable laws and regulations.
Comply with HackerOne’s Vulnerability Disclosure Guidelines.
Only use a proof of concept to validate a vulnerability.
Only interact with accounts that you own or with the explicit permission of the account owner.
Stop before engaging in any conduct that may be inconsistent with or unaddressed by this Policy, and report your initial findings to us.
Promptly report any vulnerability you find.

Please do not:

Conduct any social engineering (e.g., phishing, vishing, smishing).
Do anything that may interrupt or degrade our service (e.g., denial-of-service attacks, brute force attacks).
Do anything that may cause destruction of data.
Save, store, transfer, access, or otherwise process any Avalara data after initial discovery if such data is accessed through a vulnerability. All copies of Avalara data must be returned to Avalara or destroyed upon Avalara's request, and a certificate of destruction must be provided upon Avalara's request.
Do anything that may cause harm to Avalara or our customers, partners, vendors, or employees.
Conduct a physical attack on Avalara personnel, property, or data centers.
Use a finding to compromise or exfiltrate data or pivot to other systems.
Disclose any vulnerabilities (even resolved ones) to anyone other than Avalara without Avalara’s express consent.
Include in your report any information that may identify an individual (e.g., name, physical address, IP address).

Eligibility

Avalara employees and contractors are not eligible for this Program and should report any vulnerabilities through appropriate internal mechanisms.

Out-of-Scope Vulnerabilities

Vulnerabilities that are not easily exploitable and have low security impact do not qualify for this Program. For example, the following issues are considered out-of-scope:

Clickjacking on pages with no sensitive actions.
Security header information that does not result in an exploitable path.
Issues that resolve to third-party services.
Unauthenticated/logout/login CSRF.
Attacks requiring AITM (Attacker-In-The-Middle) or physical access to a user's device.
Previously known vulnerable libraries without a working proof of concept.
CSV (Comma Separated Values) injection without demonstrating a vulnerability.
Missing best practices in SSL/TLS configuration.
Content spoofing and text injection issues without showing an attack vector or without being able to modify HTML/CSS.

Response Targets

We treat all reports through this Program with high priority. We aim to meet the following response targets for submissions to this Program:

• Time from report submission to first response: 1-2 business days • Time from report submission to triage: 3-5 business days

We will strive to keep you informed about our progress throughout the process.

Other Terms and Conditions

We will not initiate a lawsuit or law enforcement investigation against you for security research and vulnerability disclosure activities conducted in compliance with this Policy.

If legal action is initiated by a third party against you in connection with activities conducted under this Policy, we will take steps to make it known that your actions were conducted in compliance with this Policy. We cannot and do not authorize security research in the name of other entities.

Nothing in this Policy, including submission of a report, should be deemed to constitute the grant to you of any license or any other right to or in respect of any Avalara or third-party product, service, patent trademark, trade secret, or other intellectual property. By submitting a report, you grant Avalara a perpetual, worldwide, exclusive, fully-paid-up license to sublicense, copy, distribute, display, perform, transmit, and publish the report.

Avalara will determine, in its sole discretion, whether recognition will be provided for reporting a vulnerability, and it reserves the right to withhold such recognition. Violation of this Policy may result in removal from the Program and ineligibility for any future bug bounty opportunities. By submitting a report or otherwise participating in this Program, you agree that you have read and will follow this Policy. Avalara reserves the right to update this Policy without notice and to terminate this Program without notice.

Thank you for helping keep Avalara and our customers safe!

Conduct Guidelines

When researching and disclosing a vulnerability, please:

Provide a detailed report with reproducible steps.

Submit one vulnerability per report, unless you need to chain vulnerabilities to provide an impact.

Comply with all applicable laws and regulations.

Comply with HackerOne’s Vulnerability Disclosure Guidelines.

Only use a proof of concept to validate a vulnerability.

Only interact with accounts that you own or with the explicit permission of the account owner.

Stop before engaging in any conduct that may be inconsistent with or unaddressed by this Policy, and report your initial findings to us.

Promptly report any vulnerability you find.

Please do not:

Conduct any social engineering (e.g., phishing, vishing, smishing).

Do anything that may interrupt or degrade our service (e.g., denial-of-service attacks, brute force attacks).

Do anything that may cause destruction of data.

Save, store, transfer, access, or otherwise process any Avalara data after initial discovery if such data is accessed through a vulnerability. All copies of Avalara data must be returned to Avalara or destroyed upon Avalara's request, and a certificate of destruction must be provided upon Avalara's request.

Do anything that may cause harm to Avalara or our customers, partners, vendors, or employees.

Conduct a physical attack on Avalara personnel, property, or data centers.

Use a finding to compromise or exfiltrate data or pivot to other systems.

Disclose any vulnerabilities (even resolved ones) to anyone other than Avalara without Avalara’s express consent.

Include in your report any information that may identify an individual (e.g., name, physical address, IP address).

Out-of-Scope Vulnerabilities

Vulnerabilities that are not easily exploitable and have low security impact do not qualify for this Program. For example, the following issues are considered out-of-scope:

Clickjacking on pages with no sensitive actions.

Security header information that does not result in an exploitable path.

Issues that resolve to third-party services.

Unauthenticated/logout/login CSRF.

Attacks requiring AITM (Attacker-In-The-Middle) or physical access to a user's device.

Previously known vulnerable libraries without a working proof of concept.

CSV (Comma Separated Values) injection without demonstrating a vulnerability.

Missing best practices in SSL/TLS configuration.

Content spoofing and text injection issues without showing an attack vector or without being able to modify HTML/CSS.