Penetration Testing and Network Scanning

Last Updated: 21 April 2014

security pentest

Table of Contents

Coordinated penetration tests and network security scans are allowed on Heroku.


Since overaggressive scans are hard to distinguish from Denial of Service attacks, please notify Heroku in advance of all automated security scans and provide the following information:

  • Approximate date and time window you’ll be conducting the test (e.g., “between 8am-noon US/Pacific time, 18 September 2012”). Multiple windows are fine.
  • Source IP address range you’ll be using.
  • Which specific applications, hostnames, and URLs you’ll be testing.
  • Contact information, including a phone number, for the individual or team conducting the test.


We also ask the following of your penetration tests:

  • Provide updates at the start and end of each test. It’s OK if it slips a couple of hours.
  • Rate limit HTTP requests to no more than 250 requests per second, summing together across all tools and source IPs. If you need to go above that you may need to be assigned a specific testing time window.
  • If you find any vulnerabilities in our platform or any add-on services, please treat them as confidential and notify us at at once. If it’s particularly serious, the Heroku Security Team’s PGP key is here.