

Incident Response at Heroku - fomb
https://blog.heroku.com/archives/2014/5/9/incident-response-at-heroku

======
sergiotapia
And that's why I pay for Heroku. They let me sleep at night instead of
worrying about keeping my stack up to date. I can't afford a dedicated
engineer to keep things 'kosher' on my boxes, so Heroku is fantastic in that
regard.

I have a pet project up and running on DigitalOcean but my god, it's duct-
taped to hell. I don't even know how to apply Nginx patches as they come out
without bringing down the website. :(

Thanks Heroku for sharing!

~~~
dperfect
> They let me sleep at night instead of worrying about keeping my stack up to
> date

I'm not sure what kind of stack you're running on Heroku, but if it happens to
be Ruby, Heroku won't do anything (AFAIK) to update gems specified in your
Gemfile.lock file when vulnerabilities are found. That's still up to you, and
security issues in gems appear to be far more common than those in parts of
the infrastructure that Heroku does keep up-to-date.

~~~
thinkbohemian
Generally if it's a large enough security incident and the fix is in gem land,
we send out emails. At the end of the day, you're still responsible for
security of your own code (and libraries), but we try to help.

