Heroku

  • $100 – $3,000+ per vulnerability
  • Partial safe harbor
  • Managed by Bugcrowd

Heroku Bonus Rewards

Hey Everyone,

Heroku is interested in getting security feedback on their recently-built Build 2.0 Docker feature set, which is currently in a pre-release phase. For the next month (August 10th - September 10th) findings against 'Build 2.0' will receive 1.5x payouts, depending on the VRT Category.

All the information you'll need to learn about the feature set and access is below:
https://devcenter.heroku.com/articles/docker-builds-heroku-yml
https://devcenter.heroku.com/articles/container-registry-and-runtime

Heroku is most interested in the following types of findings:

  • Discovering Docker misconfiguration
  • Circumventing Linux isolation
  • Breaking out during build, release or run
  • Overusing Heroku services (exceeding limits) via these new features
  • Discovering flaws in container registry (registry.heroku.com)

Happy hunting!
Steve @Bugcrowd