Heroku lets app developers spend their time on their application code, not managing servers, deployment, ongoing operations, or scaling. We are strong believers in free and open source software, and much of our code is available on our GitHub page. We are offering cash rewards on an ongoing basis for valid vulnerabilities, subject to the rules and terms of participation. The goal of this bounty is to find vulnerabilities which affect the confidentiality, integrity, or availability of our services and code run by us or our customers.
Reward RangeLast updated
|Technical severity||Reward range|
|p1 Critical||Starting at: $3,000|
|p2 Severe||Starting at: $900|
|p3 Moderate||Starting at: $300|
|p4 Low||Starting at: $100|
Out of scope
Before you begin, please read and understand the Standard Disclosure Terms. Heroku customer applications are out of scope for this program; you may only test against Heroku properties. You can identify public-facing Heroku properties by their EV SSL certificates; please see https://blog.heroku.com/fancy-pants-certs for additional information.
'heroku.yml Docker builds' Bonus! (August 10th - September 10th)
Heroku is interested in getting security feedback on their new build system powered by Docker, which is currently in a pre-release phase. For the next month (August 10th - September 10th) findings against 'heroku.yml Docker builds' will receive 1.5x payouts, depending on the VRT Category. All the information you'll need to learn about the feature set and access is below:
Heroku is most interested in the following types of findings:
- Discovering Docker misconfiguration
- Circumventing Linux isolation
- Breaking out during build, release or run
- Overusing Heroku services (exceeding limits) via these new features
- Discovering flaws in container registry (registry.heroku.com)
Only the vulnerabilities found in the latest version are eligible.
If you’re unsure about whether something is in-scope, please feel free to ask. With the exception of the listed out-of-scope findings, we base our severity and rewards on the Bugcrowd VRT.
Our main product and focus area for security, the platform itself is what all of the other targets support (and where most of them run).
Developers can create applications written in Ruby, Node.js, Java, Python, Clojure, Scala, Go, and PHP and deploy them on our platform. Once deployed, the application is assembled into a slug, which is then run on a dyno.
A dyno is a lightweight Linux container that runs a single user-specified command. A dyno can run any command available in its default environment (what we supply in the stack) or in your app’s slug (a compressed and pre-packaged copy of your application and its dependencies).
Documentation: https://devcenter.heroku.com/articles/how-heroku-works and https://devcenter.heroku.com/articles/dynos
The platform API (
api.heroku.com) is how developers interact with the Heroku Platform. You can use the platform API to programmatically create apps, provision add-ons and perform other tasks.
Documentation: https://devcenter.heroku.com/articles/platform-api-reference and https://devcenter.heroku.com/categories/platform-api
The Heroku Dashboard is the web user interface for Heroku’s core features and functionality. This is the main web application target for our bounty.
It provides UI support for things like creating/renaming/deleting apps, configuring add-ons, managing Heroku Teams, creating Heroku Pipelines, deploying your application, viewing and responding to application metrics, and accessing usage, invoices and billing information.
Other Heroku products that are not part of the Heroku Dashboard can be accessed via the main navigation. Some of those products are Heroku Data, Dataclips, and Heroku Connect (Heroku/Salesforce Integration).
The Heroku Command Line Interface (CLI), formerly known as the Heroku Toolbelt, is a tool for creating and managing Heroku apps from the command line / shell of various operating systems. It is written in Go and Node and interacts with the Heroku Platform API.
Heroku CLI plugins that are published on Github under the Heroku org are also in scope and provide additional functionality to test (e.g. https://github.com/heroku/heroku-cli-addons).
Apache Kafka on Heroku
This is an expensive add-on and we do not have a free tier at this time for testing. However, we are interested in any vulnerabilities you may discover in Apache Kafka that are specific to our deployment.
Apache Kafka on Heroku is an add-on that provides Kafka as a service with full integration into the Heroku platform.
Apache Kafka is a distributed commit log for fast, fault-tolerant communication between producers and consumers using message based topics. Kafka provides the messaging backbone for building a new generation of distributed applications capable of handling billions of events and millions of transactions, and is designed to move large volumes of ephemeral data with a high degree of reliability and fault tolerance.
Heroku Connect is an add-on that synchronizes data between your Salesforce organization and a Heroku Postgres database. You can follow the getting started documentation to provision an application with Heroku Connect and use the free Demo plan for testing
Only the Heroku endpoints are in scope. Do not perform testing or attacks against any non-Heroku Salesforce URIs.
Documentation: https://www.heroku.com/connect and https://devcenter.heroku.com/articles/heroku-connect
Heroku recently added new features to their Postgres product, please read the blog post for full details. [As of 8/10/2017 at 12:30 PM PDT]
You MUST use the
[USERNAME]@bugcrowdninja.com email alias when signing up for heroku.com accounts that will be used to participate in this bounty.
For example, if your Bugcrowd username is
researcher, you must use
email@example.com. If you require multiple accounts, you can make use of the alias sub-addressing feature and signup with an email address such as
Accounts not following these rules will be suspended without warning.
- Customer applications.
- 3rd-Party Heroku Add-On Providers.
- AWS S3 Buckets not mentioned in Heroku documentation, or interacted with from a Heroku service.
- Any bug involving an S3 bucket must have clear repeatable instructions detailing how the bucket name was obtained e.g. “The Heroku Dashboard performs a direct upload to bucket name xyz” or “The buildpack source code at github.com/heroku/foo contains the bucket name xyz”
If you're on any U.S. government denied-party list or live in a country that is on such a list, we cannot give you a reward. Keep in mind that your citizenship and residency may affect whether you owe taxes on any reward you receive, and you alone are responsible for paying those taxes.
We, of course, reserve the right to cancel or modify this program at any time and the ultimate decision over an award, whether to give one and in what amount, is a decision that lies entirely within our discretion.
The following vulnerability classes are explicitly excluded from the bounty, and will not be rewarded unless a reproducible proof-of-concept demonstrating a clear and significant impact to the Heroku platform or it’s users can be provided. tl;dr - If it is exploitable, or affects other users of the platform, we want to know about it.
- Disclosure of known public files or directories (e.g. robots.txt, crossdomain.xml).
- CSRF bugs affecting anonymous users (e.g. the contact form), or resulting in a logged-in user being logged out.
- Stored, Reflected, or DOM Self-XSS.
- Vulnerabilities in demo or deprecated source repositories at github.com/heroku
- Open Redirects.
- CSV Injection.
- Attacks involving physical or social engineering.
- Missing autocomplete attributes.
- Vulnerabilities reported by automated tools (e.g. Burp Suite).
- Denial of Service attacks.
- Missing DKIM, SPF, or related records on Heroku domains.
- Open ports on Heroku services.
- Publicly accessible login panels.
- Descriptive Error Messages (e.g. Stacktraces, application errors, server errors)
- Banner Disclosure on publicly accessible services..
- SSL Attacks (e.g. BEAST, BREACH, Renegotiation attack), or SSL/TLS reports from sites such as Qualys/SSLLabs
- Permissive CORS configurations unless there is a demonstrable exploit that allows sensitive data disclosure.
- Missing flags on cookies not involved in authentication/authorization.
- Missing CSP Configuration.
- Missing HTTP Security Headers, such as Strict-Transport-Security, X-Frame-Options, X-XSS-Protection, X-Content-Type-Options.
- Issues affecting outdated browsers.
- Login Page / Forgot Password Page Account Brute force or account lockout not enforced.
This program follows Bugcrowd’s standard disclosure terms.
This program does not offer financial or point-based rewards for P5 — Informational findings. Learn more about Bugcrowd’s VRT.
This bounty requires explicit permission to disclose the results of a submission.
Issues whose primary impact is defense in depth, best practice, or otherwise low severity are typically patched within 90 days. All issues will be paid after a fix has been applied.