That sounds problematic. Where do they detail this?
Wikipedia:
Google Safe Browsing “conducts client-side checks. If a website looks suspicious, it sends a subset of likely phishing and social engineering terms found on the page to Google to obtain additional information available from Google’s servers on whether the website should be considered malicious”.
Regardless of everything else they should be kicked out from HackerOne since it’s clearly Zendesk not being truthful here.