I'm pretty appalled that you submitted this to, arguably, one of the most-visited sites for tech news, without at least giving them time to address the problem.
This isn't a case of something small going unnoticed, resulting in a bit of a laugh and giggle.
This is people's billing details, and you've just explained how to exploit the bug in complete detail.
I'm really unhappy that this sort of thing even crossed your mind :/
On one hand, I do see your point - at first glance it seems a bit unfair to ambush them like this. On the other hand, if the OP quietly submits it to Heroku and they fix it, then none of us find out. Posting about a vulnerability that has recently been fixed would not be likely to garner nearly as much attention as one that is an open issue.
This is the sort of thing that I, as a Heroku customer, really want to no about. Not because my personal information is at risk - no credit card #'s or anything are accessible - but because it changes my perspective on Heroku. This vulnerability is just plain sloppy on their part - I really though that the folks at Heroku were smarter than this.
If this leak provided access to any more sensitive data, like credit card #'s or SSN's I would 100% agree with you - notify Heroku and let them fix it first. But the only real harm I see coming from this being posted pre-fix is embarrassment for Heroku.
This isn't a case of something small going unnoticed, resulting in a bit of a laugh and giggle. This is people's billing details, and you've just explained how to exploit the bug in complete detail.
I'm really unhappy that this sort of thing even crossed your mind :/