Penetration Testing and Network Scanning

Last Updated: 10 February 2015

security pentest

Table of Contents

Coordinated penetration tests and network security scans are allowed on Heroku.


Because overaggressive scans are hard to distinguish from denial-of-service attacks, please notify Heroku in advance of all automated security scans and provide the following information:

  • Approximate date and time window you’ll be conducting the test. For example, “between 8am-noon US/Pacific time, 18 September 2012”. Multiple windows are fine.
  • Source IP address range you’ll be using.
  • Which specific applications, hostnames, and URLs you’ll be testing.
  • Contact information, including a phone number, for the individual or team conducting the test.


We also ask the following of your penetration tests:

  • Provide updates at the start and end of each test. It’s OK if it slips a couple of hours.
  • Rate limit HTTP requests to no more than 250 requests per second, summing together across all tools and source IPs. If you need to go above that, you may need to be assigned a specific testing time window.
  • If you find any vulnerabilities in our platform or any add-on services, please treat them as confidential and notify us at immediately. If it’s particularly serious, the Heroku Security Team’s PGP key is here.