[dperfect]

> They let me sleep at night instead of worrying about keeping my stack up to date

I'm not sure what kind of stack you're running on Heroku, but if it happens to be Ruby, Heroku won't do anything (AFAIK) to update gems specified in your Gemfile.lock file when vulnerabilities are found. That's still up to you, and security issues in gems appear to be far more common than those in parts of the infrastructure that Heroku does keep up-to-date.

[thinkbohemian]

Generally if it's a large enough security incident and the fix is in gem land, we send out emails. At the end of the day, you're still responsible for security of your own code (and libraries), but we try to help.