[chabons]

The author specifically stated: "Realizing this, I asked for the report to be forwarded to an actual Zendesk staff member for review", before getting another reply for H1. I read this as they escalated it to Zendesk directly, who directed it back to HackerOne.

[radlad]

It wasn't clear to me as even at that point it was an "H1 Mediator" who responded.

Also the bit about SPF, DKIM and DMARC seems to show a misunderstanding of the issue: these are typically excluded because large companies aren't able to do full enforcement on their email domains due to legacy. It's a common bug report.

In this case, the problem was that Zendesk wasn't validating emails from external systems.

[jojobas]

It doesn't matter if the decision that this bug doesn't matter came from a Zendesk employee or Zendesk contractor (in this case H1). Zendesk authorized them to make decisions on the matter.

The audacity to say "this is out of scope" then "how dare you tell anyone else" is something else.

[radlad]

No disagreements there.

[nightpool]

In this case, that probably means that H1 had a Zoom or Slack convo with the team and is relaying their decision into text instead of making them write it down themselves.

[radlad]

Yeah probably, but what information did H1 relay to them? Did they read the email, or did they get H1's interpretation of the bug? Because the SPF/DKIM/DMARC stuff really doesn't make sense with context.