Comment by patcon

Yes. But respectfully (residual frustration at zendesk might make me curt here) if their security triage team can't see how dangerous it is for an attacker to get access to an arbitrary thread on a their CLIENT's corporate email chains (in this world of email logins and SSO), then they have a big lapse in security culture, no?

Yes, the researcher could have tee'd himself up better, but this says way more about zendesk than it does about the 15-year-old researcher.