This summer, Zendesk identified a vulnerability through our bug bounty program which we worked with a researcher to address. We have no evidence that

Email user verification bug bounty report retrospective – Zendesk help

submited by
Style Pass
2024-10-12 22:30:02

This summer, Zendesk identified a vulnerability through our bug bounty program which we worked with a researcher to address. We have no evidence that this vulnerability was exploited by a bad actor. While as the researcher shared in a public post, the specific issue they presented has been remediated, it is important that we provide clarity about what happened. This “supply chain” vulnerability, a type of vulnerability where bad actors may potentially attempt to exploit interconnected systems in order to breach organizations, reflects the type of security risks faced by many companies due to the way modern business tools are linked.

While this specific issue has been resolved, to further safeguard against similar and iterative exploitation attempts, we recommend companies implement best practices around user verification, including employing two-step user/identity verification, using subdomains for support emails (e.g., contact@support.example.com), and ensuring that third-party systems handling sensitive information are properly secured.

Leave a Comment