Vulnerability Disclosure Policy
SweetHawk takes security seriously and values the security research community.
SweetHawk takes security seriously and values the contributions of the security research community. This policy outlines how security researchers should report vulnerabilities discovered in our systems.
Guidelines for Researchers
When conducting security research, you must:
- Avoid privacy violations and degradation of user experience during testing;
- Avoid disruption to production systems;
- Operate only within the designated scope below;
- Use the specified communication channels; and
- Maintain confidentiality for 90 days until the vulnerability has been resolved.
Our Commitments
In return, SweetHawk commits to:
- Not pursuing legal action against researchers acting in good faith;
- Providing initial confirmation of your report within 72 hours; and
- Recognising first reporters in our Security Researcher Hall of Fame.
Scope
In scope:
- https://app.sweethawk.com
- All Zendesk apps available on the SweetHawk platform
Out of scope:
Third-party hosted services are explicitly excluded, including this website, Zendesk support portal, and Stripe billing pages. The following test types are also out of scope:
- Physical security findings;
- Social engineering-derived results;
- UI/UX bugs; and
- Network-level denial of service attacks.
How to Report
Please email security@sweethawk.com with:
- A description of the vulnerability;
- Steps to reproduce; and
- Your preferred name or handle for Hall of Fame recognition (optional).
Security Researcher Hall of Fame
We recognise security researchers who have responsibly disclosed vulnerabilities to us.
| 1 Jan 2026 | DNSSEC not enabled | Mahesh V |
| 6 Nov 2025 | DMARC enforcement | Nujella S. S. N. V. Ravindra Kumar |
| 5 Oct 2025 | Email config hardening | DepthDefense.com |
| 18 Aug 2025 | CSP improvements | Mahesh Agaji Pandhare |
| 1 July 2025 | Missing CAA record | Kishan Rastogi |
| 7 June 2025 | No frame ancestors policy | Maddirala Mukesh |
| 9 May 2025 | Use of outdated js library | Ashish Rai |
| 7 May 2025 | Leaked limited-use long-lived token | Umanhonlen Gabriel |
| 20 Feb 2025 | Outdated jQuery on main site | Devansh Chauhan |
| 6 Aug 2024 | Debug mode enabled on non-prod | Gaurang Maheta |
| 20 May 2024 | Missing DNS record | Vaibhav Jain |
| 14 Feb 2023 | SPF misconfiguration | Usama Javed |
| 17 Dec 2019 | Persistent Cross-Site Scripting in Survey app | MTK |
To be recognised, include your preferred name or handle in your disclosure email.