Penetration Testing and Network Scanning
Last updated 01 March 2019
Coordinated penetration tests and network security scans are allowed on Heroku.
Heroku no longer requires authorization of standard security and penetration tests. These tests should be low volume and not appear to be denial-of-service attacks. Any large volume testing must follow our load testing guidelines.
We ask the following of your penetration tests:
- Rate limit HTTP requests to no more than 250 requests per second, summing together across all tools and source IPs. If you need to go above that, you may need to be assigned a specific testing time window.
- If you find any vulnerabilities in our platform or any add-on services, please submit them via our bug bounty.