@testusername911 reported an issue where an unclaimed subdomain on Heroku could have been claimed by an attacker and used as a convincing phishing vector. We remediated the issue by registering applications for all subdomains we direct to Heroku.