Heroku Security Bug Bounty

Listen to this article

Working with security researchers to ensure the trustworthiness of Heroku’s platform is an ongoing effort of ours. As part of this effort, the Heroku security team, in conjunction with Bugcrowd, is pleased to announce our new security bug bounty program. For each security bug you help find, which helps to ensure our platform is safe and secure, we'll reward you. Our initial rewards will be between $100 and $1500, varying based on the severity of the vulnerability.

Detailed rules and information about the scope of this bounty program are available on our page at Bugcrowd. As was previously the case, customer applications are strictly out of scope for the bounty – but we’ll pass information along to those customers if you let us know.

We will continue to list researchers who report to us on our Hall of Fame, to provide public recognition and thanks for working with us to make our platform more secure.

As part of Heroku and our parent company Salesforce.com’s commitment to philanthropy, if you are interested in donating your bounty to a recognized charity we will match it dollar-for-dollar.

For any other security inquiries, you can still reach the Heroku security team directly at security@heroku.com (PGP key) or by opening a support ticket.