From a manager perspective, this sort of alert (as well as recent Heroku emails telling you specifically which app(s) needed patching for the recent Rails CVE issues) is a great example of one of the extra benefits of Heroku. A team of engineers 'watching your back' at no extra charge is a good thing.

Agreed. I was surprised when I received an email from Heroku letting me know that a few of my apps needed to be updated after the Rails vulnerabilities were uncovered. They also named the apps that needed to be updated, which makes my job that much simpler.

It was a nice service with the mail. But it was sent one day after the exploit was out in the open, which is too late, but better than nothing.

I guess they had to build the feature. With the follow-on exploit for rails <3.1, the notification email went out very quickly and probably they will have quick notifications going forward.

The exploit still exists whether you are on Heroku, shared or bare metal hosting environment. It's not an issue specific to Heroku, it's an issue that affects ruby gems. Your situation would be worse if you convinced the big wigs to switch to Ruby today.

"Thank goodness we switched to Heroku. Had we stayed on our previous environment, we would have been opened up to a security exploit without even knowing it."

Safe by default. That's your angle.

It's additional effort to deploy dangerous code.

Feel free to reach out to me if you'd like to have a conversation about how to support your case on Heroku or if you have any questions/concerns; raj@heroku.com

What is the alternative? You stay on the shared hosting and then what, you get hacked because you didn't verify a gem?

Are the bigwigs going to authorize you time to look through all gems for potential backdoors or are they going to get i for free with their Heroku hosting?

they give you a straight forward workaround to still deploy. They just make you set a value explicitly so they know you are aware of the risk.

Good to know someone is watching your back :)