Heroku lets app developers spend their time on their application code, not managing servers, deployment, ongoing operations, or scaling. We are strong believers in free and open source software, and much of our code is available on our GitHub page. We are offering cash rewards on an ongoing basis for valid vulnerabilities, subject to the rules and terms of participation. The goal of this bounty is to find vulnerabilities which affect the confidentiality, integrity, or availability of our services and code.
- Vulnerabilities which affect multi-tenant integrity of the Heroku Platform
Before you begin, please read and understand the Standard Disclosure Terms. Heroku customer applications are out of scope for this program; you may only test against Heroku properties. You can identify public-facing Heroku properties by their EV SSL certificates; please see https://devcenter.heroku.com/articles/ev-ssl-certificates-and-heroku-owned-apps for additional information. If you’re unsure about whether something is in-scope, please feel free to ask.
The following finding types are specifically excluded from the bounty:
- Customer Applications.
- Third-party Add-ons - we will pass them along to the add-on owner, but they are not eligible for a bounty.
- Descriptive error messages (e.g. Stack Traces, application or server errors).
- Login Page / Forgot Password Page Account Brute force or account lockout not enforced.
- HTTP 404 codes/pages or other HTTP non-200 codes/pages.
- Banner disclosure on common/public services.
- Disclosure of known public files or directories, (e.g. robots.txt).
- Clickjacking and issues only exploitable through clickjacking.
- Self-XSS and issues exploitable only through Self-XSS.
- CSRF on forms that are available to anonymous users (e.g. the contact form).
- Logout Cross-Site Request Forgery (logout CSRF).
- Presence of application or web browser ‘autocomplete’ or ‘save password.
- Missing SPF records on heroku.com/.heroku.com/herokuapp.com/.herokuapp.com domains.
This bounty follows Bugcrowd’s standard disclosure terms.
This bounty requires explicit permission to disclose the results of a submission.
Issues whose primary impact is defense in depth, best practice, or otherwise low severity are typically patched within 90 days. All issues will be paid after a fix has been applied.