• $100 – $3,000+ per vulnerability
  • Partial safe harbor
  • Managed by Bugcrowd

Program stats

230 vulnerabilities rewarded

$1,200 average payout (last 3 months)

Latest hall of famers

Recently joined this program

915 total

Heroku lets app developers spend their time on their application code, not managing servers, deployment, ongoing operations, or scaling. We are strong believers in free and open source software, and much of our code is available on our GitHub page. We are offering cash rewards on an ongoing basis for valid vulnerabilities, subject to the rules and terms of participation. The goal of this bounty is to find vulnerabilities which affect the confidentiality, integrity, or availability of our services and code run by us or our customers.

Getting Started

Before you begin, please read and understand the Standard Disclosure Terms.

Heroku customer applications are out of scope for this program; you may only test against Heroku properties. Submissions for *.herokuapp.com applications will be treated as out of scope.
You can identify public-facing Heroku properties by their EV SSL certificates.

Please consult the Focus Areas below for more information about the different components that make up Heroku.

Reward Range

Last updated
Technical severity Reward range
p1 Critical Starting at: $3,000
p2 Severe Starting at: $900
p3 Moderate Starting at: $300
p4 Low Starting at: $100
P5 submissions do not receive any rewards for this program.


In scope

Target name Type
https://dashboard.heroku.com Other
https://id.heroku.com Other
https://api.heroku.com Other
https://dataclips.heroku.com Other
https://help.heroku.com Other
https://www.heroku.com Other
https://toolbelt.heroku.com Other
https://elements.heroku.com Other
https://signup.heroku.com Other
http://status.heroku.com/ Other
https://telex.heroku.com/ Other
https://data.heroku.com Other
https://addons.heroku.com Other
https://devcenter.heroku.com Other
Source code (excluding demo and deprecated repos) only available at github.com/heroku/ Other
Vulnerabilities which affect multi-tenant integrity of the Heroku Platform Other
https://connect.heroku.com Other
https://provider.heroku.com Other
addons-next.heroku.com Website
https://git.heroku.com/ Website
http://registry.heroku.com/ Website
https://particleboard.heroku.com Website

Out of scope

Target name Type
https://github.com/heroku/windmil Website
Heroku Customer Applications (*.herokuapp.com) Website
Heroku Stack Images Other

Focus Areas

Heroku Platform

Our main product and focus area for security, the platform itself is what all of the other targets support (and where most of them run).

Developers can create applications written in Ruby, Node.js, Java, Python, Clojure, Scala, Go, and PHP and deploy them on our platform. Once deployed, the application is assembled into a slug, which is then run on a dyno.


  • dyno: A dyno is a lightweight Linux container that runs a single user-specified command. A dyno can run any command available in its default environment (what we supply in the stack) or in your app’s slug.
  • slug: A compressed and pre-packaged copy of your application and its dependencies
  • buildpack: The scripts that power app builds on Heroku. Buildpacks are responsible for transforming deployed code into a slug, which can then be executed on a dyno.

What to look for:

A dyno should only be accessible to authorised users, we are thus particularly interesting in issues that could lead to privilege escalation or break out from the user dyno. Issues that allow one customer dyno to interact with another customers dyno, or to intercept traffic from another dyno.


Heroku API

The platform API (api.heroku.com) is how developers interact with the Heroku Platform. You can use the platform API to programmatically create apps, provision add-ons and perform other tasks. Most Heroku tools (such as the CLI and dashboard) all interact with the Heroku platform through the API.


Heroku Dashboard

The Heroku Dashboard is the web user interface for Heroku’s core features and functionality. This is the main web application target for our bounty.

It provides UI support for things like creating/renaming/deleting apps, configuring add-ons, managing Heroku Teams, creating Heroku Pipelines, deploying your application, viewing and responding to application metrics, and accessing usage, invoices and billing information.

Other Heroku products that are not part of the Heroku Dashboard can be accessed via the main navigation. Some of those products are Heroku Data, Dataclips, and Heroku Connect (Heroku/Salesforce Integration).


Heroku CLI

The Heroku Command Line Interface (CLI), formerly known as the Heroku Toolbelt, is a tool for creating and managing Heroku apps from the command line / shell of various operating systems. It is written in Go and Node and interacts with the Heroku Platform API.

Heroku CLI plugins that are published on Github under the Heroku org are also in scope and provide additional functionality to test (e.g. https://github.com/heroku/heroku-cli-addons).



Heroku Connect

Heroku Connect is an add-on that synchronizes data between your Salesforce organization and a Heroku Postgres database. You can follow the getting started documentation to provision an application with Heroku Connect and use the free Demo plan for testing.

Only the Heroku endpoints are in scope. Do not perform testing or attacks against any non-Heroku Salesforce URIs.




Heroku Docker Builds

A new build system powered by Docker, which allows building of slugs based on Docker images. A custom heroku.yml can be used to specify the Dockerfile to use and specify add-ons and config vars to create during app provisioning.

What to look for:

Heroku is most interested in the following types of findings:

  • Discovering Docker misconfiguration
  • Circumventing Linux isolation
  • Breaking out during build, release or run
  • Overusing Heroku services (exceeding limits) via these new features
  • Discovering flaws in container registry (registry.heroku.com)


Apache Kafka on Heroku

This is an expensive add-on and we do not have a free tier at this time for testing. However, we are interested in any vulnerabilities you may discover in Apache Kafka that are specific to our deployment.
Apache Kafka on Heroku is an add-on that provides Kafka as a service with full integration into the Heroku platform.

Apache Kafka is a distributed commit log for fast, fault-tolerant communication between producers and consumers using message based topics. Kafka provides the messaging backbone for building a new generation of distributed applications capable of handling billions of events and millions of transactions, and is designed to move large volumes of ephemeral data with a high degree of reliability and fault tolerance.




Beta Features

A great way to get in early on new features is to sign up for our Private Beta's and looking at Heroku Labs features!

Account Creation

You MUST use the [USERNAME]@bugcrowdninja.com email alias when signing up for heroku.com accounts that will be used to participate in this bounty.

For example, if your Bugcrowd username is researcher, you must use researcher@bugcrowdninja.com. If you require multiple accounts, you can make use of the alias sub-addressing feature and signup with an email address such as researcher+randomstring@bugcrowdninja.com.

Accounts not following these rules will be suspended without warning.

Out-of-Scope Targets

  • Customer applications.
  • 3rd-Party Heroku Add-On Providers.
  • AWS S3 Buckets not mentioned in Heroku documentation, or interacted with from a Heroku service.
    • Any bug involving an S3 bucket must have clear repeatable instructions detailing how the bucket name was obtained e.g. “The Heroku Dashboard performs a direct upload to bucket name xyz” or “The buildpack source code at github.com/heroku/foo contains the bucket name xyz”

Out-of-Scope Findings

The following vulnerability classes are explicitly excluded from the bounty, and will not be rewarded unless a reproducible proof-of-concept demonstrating a clear and significant impact to the Heroku platform or it’s users can be provided. tl;dr - If it is exploitable, or affects other users of the platform, we want to know about it.

  • Disclosure of known public files or directories (e.g. robots.txt, crossdomain.xml).
  • CSRF bugs affecting anonymous users (e.g. the contact form), or resulting in a logged-in user being logged out.
  • Stored, Reflected, or DOM Self-XSS.
  • Vulnerabilities in demo or deprecated source repositories at github.com/heroku
  • Open Redirects.
  • CSV Injection.
  • Attacks involving physical or social engineering.
  • Missing autocomplete attributes.
  • Vulnerabilities reported by automated tools (e.g. Burp Suite).
  • Denial of Service attacks.
  • Missing DKIM, SPF, or related records on Heroku domains.
  • Open ports on Heroku services.
  • Publicly accessible login panels.
  • Descriptive Error Messages (e.g. Stacktraces, application errors, server errors)
  • Banner Disclosure on publicly accessible services..
  • SSL Attacks (e.g. BEAST, BREACH, Renegotiation attack), or SSL/TLS reports from sites such as Qualys/SSLLabs
  • Permissive CORS configurations unless there is a demonstrable exploit that allows sensitive data disclosure.
  • Missing flags on cookies not involved in authentication/authorization.
  • Missing CSP Configuration.
  • Missing HTTP Security Headers, such as Strict-Transport-Security, X-Frame-Options, X-XSS-Protection, X-Content-Type-Options.
  • Issues affecting outdated browsers.
  • Login Page / Forgot Password Page Account Brute force or account lockout not enforced.
  • Publicly modifiable Wiki pages on Github - submissions will be treated as P5 Won't Fix


If you're on any U.S. government denied-party list or live in a country that is on such a list, we cannot give you a reward. Keep in mind that your citizenship and residency may affect whether you owe taxes on any reward you receive, and you alone are responsible for paying those taxes.

We, of course, reserve the right to cancel or modify this program at any time and the ultimate decision over an award, whether to give one and in what amount, is a decision that lies entirely within our discretion.

Program rules

This program follows Bugcrowd’s standard disclosure terms.

This program does not offer financial or point-based rewards for P5 — Informational findings. Learn more about Bugcrowd’s VRT.

This bounty requires explicit permission to disclose the results of a submission.

Issues whose primary impact is defense in depth, best practice, or otherwise low severity are typically patched within 90 days. All issues will be paid after a fix has been applied.