Heroku lets app developers spend their time on their application code, not managing servers, deployment, ongoing operations, or scaling. We are strong believers in free and open source software, and much of our code is available on our GitHub page. We are offering cash rewards on an ongoing basis for valid vulnerabilities, subject to the rules and terms of participation. The goal of this bounty is to find vulnerabilities which affect the confidentiality, integrity, or availability of our services and code run by us or our customers.


In scope

Before you begin, please read and understand the Standard Disclosure Terms. Heroku customer applications are out of scope for this program; you may only test against Heroku properties. You can identify public-facing Heroku properties by their EV SSL certificates; please see https://devcenter.heroku.com/articles/ev-ssl-certificates-and-heroku-owned-apps for additional information. If you’re unsure about whether something is in-scope, please feel free to ask.

Account Creation

You MUST use the [USERNAME]@bugcrowdninja.com email alias when signing up for heroku.com accounts that will be used to participate in this bounty.

For example, if your Bugcrowd username is researcher, you must use researcher@bugcrowdninja.com. If you require multiple accounts, you can make use of the alias sub-addressing feature and signup with an email address such as researcher+randomstring@bugcrowdninja.com.

Accounts not following these rules will be suspended without warning.

The following finding types are specifically excluded from the bounty:

  • Customer Applications.
  • Third-party Add-ons - we will pass them along to the add-on owner, but they are not eligible for a bounty.
  • Descriptive error messages (e.g. Stack Traces, application or server errors).
  • Login Page / Forgot Password Page Account Brute force or account lockout not enforced.
  • HTTP 404 codes/pages or other HTTP non-200 codes/pages.
  • Banner disclosure on common/public services.
  • Disclosure of known public files or directories, (e.g. robots.txt).
  • Clickjacking and issues only exploitable through clickjacking.
  • Self-XSS and issues exploitable only through Self-XSS.
  • CSRF on forms that are available to anonymous users (e.g. the contact form).
  • Logout Cross-Site Request Forgery (logout CSRF).
  • Presence of application or web browser ‘autocomplete’ or ‘save password.
  • Missing DKIM, SPF, or related records on heroku.com/.heroku.com/herokuapp.com/.herokuapp.com domains.
  • Vulnerabilities in demo or deprecated source code repositories.
  • Permissive CORS configurations unless there is a demonstrable exploit that allows sensitive data disclosure.
  • Amazon S3 buckets unless they are explicitly listed as Targets (no brute forcing bucket names)


This program follows Bugcrowd’s standard disclosure terms.

This program does not offer financial or point-based rewards for Informational (P5) findings. Learn more about Bugcrowd's VRT.

This bounty requires explicit permission to disclose the results of a submission.

Issues whose primary impact is defense in depth, best practice, or otherwise low severity are typically patched within 90 days. All issues will be paid after a fix has been applied.