Starting today, Heroku would like to publicly thank all the independent security researchers who have practiced responsible disclosure and helped us remediate issues.
Our intent is for this list to be comprehensive, going back to our beginning. If you’ve reported a vulnerability to us in the past, and you’re either not listed or you’d like your listing changed (e.g., typos, change a link) or removed entirely, just let us know.
Customer applications are ineligible for multiple reasons. Very roughly, this means we don’t list reports for *.herokuapp.com, and aspiring researchers should look at *.heroku.com. This isn’t an absolute rule, however. Older customer applications (i.e., our deprecated “Bamboo” stack) are hosted in *.heroku.com. If you do find a security vulnerability in another customer’s application, please do still let us know. We’re happy to forward the report to the customer either with or without your contact information.
Only one listing per vulnerability. For duplicate reports, the first reporter wins. If necessary, we’ll check the timestamps.
Only one listing per reporter. For researchers kind enough to report multiple issues, we’re still figuring out how best to honor their contributions.
Heroku and Salesforce employees will not be listed in the Hall of Fame.
The decision to list a researcher in the Hall of Fame is made at the sole discretion of the Heroku Security Team.
We don’t offer cash rewards, but we can link to your personal or professional site, and we’ll mail you a stylish Heroku t-shirt.
Again, thank you for helping make the world safer.
Heroku Security Team