Vulnerability Disclosure Policy

SweetHawk takes security seriously and values the contributions of the security research community. This policy outlines how security researchers should report vulnerabilities discovered in our systems.

Guidelines for Researchers

When conducting security research, you must:

• Avoid privacy violations and degradation of user experience during testing;
• Avoid disruption to production systems;
• Operate only within the designated scope below;
• Use the specified communication channels; and
• Maintain confidentiality for 90 days until the vulnerability has been resolved.

Our Commitments

In return, SweetHawk commits to:

• Not pursuing legal action against researchers acting in good faith;
• Providing initial confirmation of your report within 72 hours; and
• Recognising first reporters in our Security Researcher Hall of Fame.

Scope

In scope:

• https://app.sweethawk.com
• All Zendesk apps available on the SweetHawk platform

Out of scope:

Third-party hosted services are explicitly excluded, including our Webflow website, Zendesk support portal, and Stripe billing pages. The following test types are also out of scope:

• Physical security findings;
• Social engineering-derived results;
• UI/UX bugs; and
• Network-level denial of service attacks.

How to Report

Please email security@sweethawk.com with:

• A description of the vulnerability;
• Steps to reproduce; and
• Your preferred name or handle for Hall of Fame recognition (optional).

Security Researcher Hall of Fame

We recognise security researchers who have responsibly disclosed vulnerabilities to us. Contributions have included findings related to DNSSEC configuration, DMARC enforcement, Content Security Policy improvements, DNS records, and outdated libraries.

To be recognised, include your preferred name or handle in your disclosure email.