This summer, Zendesk identified a vulnerability through our bug bounty program which we worked with a researcher to address. We have no evidence that this vulnerability was exploited by a bad actor. While as the researcher shared in a public post, the specific issue they presented has been remediated, it is important that we provide clarity about what happened. This “supply chain” vulnerability, a type of vulnerability where bad actors may potentially attempt to exploit interconnected systems in order to breach organizations, reflects the type of security risks faced by many companies due to the way modern business tools are linked.

While this specific issue has been resolved, to further safeguard against similar and iterative exploitation attempts, we recommend companies implement best practices around user verification, including employing two-step user/identity verification, using subdomains for support emails (e.g., contact@support.example.com), and ensuring that third-party systems handling sensitive information are properly secured.

We also want to address the Bug Bounty program associated with this case. Although the researcher did initially submit the vulnerability through our established process, they violated key ethical principles by directly contacting third parties about their report prior to remediation. This was in violation of bug bounty terms of service, which are industry standard and intended to protect the white hat community while also supporting responsible disclosure. This breach of trust resulted in the forfeiture of their reward, as we maintain strict standards for responsible disclosure.