|Scope Type||Scope Name|
|other||Vulnerabilities which affect multi-tenant integrity of the Heroku Platform|
|web_application||Source code (excluding demo and deprecated repos) only available at github.com/heroku/|
Out of Scope
|Scope Type||Scope Name|
|web_application||Heroku Customer Applications (*.herokuapp.com)|
Heroku lets app developers spend their time on their application code, not managing servers, deployment, ongoing operations, or scaling. We are strong believers in free and open source software, and much of our code is available on our GitHub page. We are offering cash rewards on an ongoing basis for valid vulnerabilities, subject to the rules and terms of participation. The goal of this bounty is to find vulnerabilities which affect the confidentiality, integrity, or availability of our services and code run by us or our customers.
Before you begin, please read and understand the Standard Disclosure Terms.
Heroku customer applications are out of scope for this program; you may only
test against Heroku properties. Submissions for
will be treated as out of scope.
You can identify public-facing Heroku properties by their EV SSL certificates.
Please consult the Focus Areas below for more information about the different components that make up Heroku.
Last updated 29 Jun 2018 16:38:54 UTC
Technical severity | Reward range
p1 Critical | Starting at: $3,000
p2 Severe | Starting at: $900
p3 Moderate | Starting at: $300
p4 Low | Starting at: $100
P5 submissions do not receive any rewards for this program.
Target name | Type
<https://dashboard.heroku.com> | Other
<https://id.heroku.com> | Other
<https://api.heroku.com> | Other
<https://dataclips.heroku.com> | Other
<https://help.heroku.com> | Other
<https://www.heroku.com> | Other
<https://toolbelt.heroku.com> | Other
<https://elements.heroku.com> | Other
<https://signup.heroku.com> | Other
<http://status.heroku.com/> | Other
<https://telex.heroku.com/> | Other
<https://data.heroku.com> | Other
<https://addons.heroku.com> | Other
<https://devcenter.heroku.com> | Other
Source code (excluding demo and deprecated repos) only available at
github.com/heroku/ | Other
Vulnerabilities which affect multi-tenant integrity of the Heroku Platform |
<https://connect.heroku.com> | Other
https://provider.heroku.com | Other
addons-next.heroku.com | Website
<https://git.heroku.com/> | Website
<http://registry.heroku.com/> | Website
<https://particleboard.heroku.com> | Website
Target name | Type
<https://github.com/heroku/windmil> | Website
Heroku Customer Applications (*.herokuapp.com) | Website
Our main product and focus area for security, the platform itself is what all of the other targets support (and where most of them run).
Developers can create applications written in Ruby, Node.js, Java, Python, Clojure, Scala, Go, and PHP and deploy them on our platform. Once deployed, the application is assembled into a slug, which is then run on a dyno.
What to look for:
A dyno should only be accessible to authorised users, we are thus particularly interesting in issues that could lead to privilege escalation or break out from the user dyno. Issues that allow one customer dyno to interact with another customers dyno, or to intercept traffic from another dyno.
The platform API (
api.heroku.com) is how developers interact with the Heroku
Platform. You can use the platform API to programmatically create apps,
provision add-ons and perform other tasks. Most Heroku tools (such as the CLI
and dashboard) all interact with the Heroku platform through the API.
The Heroku Dashboard is the web user interface for Heroku’s core features and functionality. This is the main web application target for our bounty.
It provides UI support for things like creating/renaming/deleting apps, configuring add-ons, managing Heroku Teams, creating Heroku Pipelines, deploying your application, viewing and responding to application metrics, and accessing usage, invoices and billing information.
Other Heroku products that are not part of the Heroku Dashboard can be accessed via the main navigation. Some of those products are Heroku Data, Dataclips, and Heroku Connect (Heroku/Salesforce Integration).
The Heroku Command Line Interface (CLI), formerly known as the Heroku Toolbelt, is a tool for creating and managing Heroku apps from the command line / shell of various operating systems. It is written in Go and Node and interacts with the Heroku Platform API.
Heroku CLI plugins that are published on Github under the Heroku org are also in scope and provide additional functionality to test (e.g. https://github.com/heroku/heroku-cli-addons).
Heroku Connect is an add-on that synchronizes data between your Salesforce organization and a Heroku Postgres database. You can follow the getting started documentation to provision an application with Heroku Connect and use the free Demo plan for testing.
Only the Heroku endpoints are in scope. Do not perform testing or attacks against any non-Heroku Salesforce URIs.
A new build system powered by Docker, which allows building of slugs based on
Docker images. A custom
heroku.yml can be used to specify the Dockerfile to
use and specify add-ons and config vars to create during app provisioning.
What to look for:
Heroku is most interested in the following types of findings:
This is an expensive add-on and we do not have a free tier at this time for
testing. However, we are interested in any vulnerabilities you may discover in
Apache Kafka that are specific to our deployment.
Apache Kafka on Heroku is an add-on that provides Kafka as a service with full integration into the Heroku platform.
Apache Kafka is a distributed commit log for fast, fault-tolerant communication between producers and consumers using message based topics. Kafka provides the messaging backbone for building a new generation of distributed applications capable of handling billions of events and millions of transactions, and is designed to move large volumes of ephemeral data with a high degree of reliability and fault tolerance.
You MUST use the
[USERNAME]@bugcrowdninja.com email alias when signing
up for heroku.com accounts that will be used to
participate in this bounty.
For example, if your Bugcrowd username is
researcher, you must use
email@example.com. If you require multiple accounts, you can make
use of the alias sub-addressing feature and signup with an email address such
Accounts not following these rules will be suspended without warning.
The following vulnerability classes are explicitly excluded from the bounty, and will not be rewarded unless a reproducible proof-of-concept demonstrating a clear and significant impact to the Heroku platform or it’s users can be provided. tl;dr - If it is exploitable, or affects other users of the platform, we want to know about it.
If you're on any U.S. government denied-party list or live in a country that is on such a list, we cannot give you a reward. Keep in mind that your citizenship and residency may affect whether you owe taxes on any reward you receive, and you alone are responsible for paying those taxes.
We, of course, reserve the right to cancel or modify this program at any time and the ultimate decision over an award, whether to give one and in what amount, is a decision that lies entirely within our discretion.
This program follows Bugcrowd’s standard disclosure terms.
This program does not offer financial or point-based rewards for P5 — Informational findings. Learn more about Bugcrowd’s VRT.
This bounty requires explicit permission to disclose the results of a submission.
Issues whose primary impact is defense in depth, best practice, or otherwise low severity are typically patched within 90 days. All issues will be paid after a fix has been applied.