Penetration Testing and Network Scanning
Last updated November 27, 2020
Table of Contents
Coordinated penetration tests and network security scans are allowed on Heroku.
Heroku does not require authorization of standard security and penetration tests. These tests should be low volume and not appear to be denial-of-service attacks. Any large volume testing must follow our load testing guidelines.
If you are a Heroku customer and you would like to report a vulnerability or have a security concern regarding Heroku, please email firstname.lastname@example.org.
For other security inquiries, please open a support ticket.
As part of our commitment to working with security researchers to make our platform safer, Heroku operates a bug bounty program to reward those who find and report bugs in our platform.
To report vulnerabilities related to Heroku:
- Privately share details of the suspected vulnerability with Heroku by submitting them via the HackerOne Disclosure Assistance Form
- Provide full details of the suspected vulnerability so the Heroku security team may validate and reproduce the issue
Valid findings will be considered for compensation in accordance with our bounty program rules.