Penetration Testing and Network Scanning
Last updated 12 September 2017
Coordinated penetration tests and network security scans are allowed on Heroku.
Because overaggressive scans are hard to distinguish from denial-of-service attacks, please notify Heroku in advance of all automated security scans at least 2 business days before your test and provide the following information:
- Approximate date and time window you’ll be conducting the test. For example, “between 8am-noon US/Pacific time, 18 September 2012”. Multiple windows are fine.
- Source IP address range you’ll be using.
- Which specific applications, hostnames, and URLs you’ll be testing.
- Contact information, including a phone number, for the individual or team conducting the test.
We also ask the following of your penetration tests:
- Rate limit HTTP requests to no more than 250 requests per second, summing together across all tools and source IPs. If you need to go above that, you may need to be assigned a specific testing time window.
- If you find any vulnerabilities in our platform or any add-on services, please submit them via our bug bounty.