Found a pretty serious XSS in Help Scout. It’s trivial to force the user to trigger it and after that you can pretty much do whatever you want: steal, modify and delete emails, steal user credentials, etc.
Turns out they don’t have any bug bounty program. Their Hackerone program is suspended (https://hackerone.com/helpscout). Judging by the links on that page, there was once info regarding bug reporting on their security policy page, it’s all cleaned up now.
Also, their Hackerone suspension notice is... ehm... “catch up on the backlog of reports and prioritize other improvements”. Prioritizing new features over a backlog of security reports, mkay.