Agreed. I was surprised when I received an email from Heroku letting me know that a few of my apps needed to be updated after the Rails vulnerabilities were uncovered. They also named the apps that needed to be updated, which makes my job that much simpler.
I guess they had to build the feature. With the follow-on exploit for rails <3.1, the notification email went out very quickly and probably they will have quick notifications going forward.
