Annual Security Audit Results - 2018

It’s that time of year again--the time when we post the results of our annual external penetration test performed by the multitude of talented security researchers sourced by BugCrowd!

Feel free to download and review the report found at the following link: 

2018 Instructure Canvas Bridge Penetration Test Results

The tl;dr of the report is: 15 researchers submitted a total of 44 findings. 10 of these submissions were confirmed as legitimate vulnerabilities, with the rest being either a duplicate of another researcher’s findings or an invalid submission. These 10 vulnerabilities are broken down into the following security risk levels: 1 Critical, 2 High, 3 Medium, and 4 Low.

In addition to the annual penetration test and security assessment, we continually operate a professional bug bounty program, facilitated by BugCrowd, and we encourage and reward security researchers as they identify and report security findings in Instructure’s products. 

If you are interested in joining our bug bounty program as a security researcher, please contact security@instructure.com with your BugCrowd username and we will get you hooked up!

The importance of a security audit cannot be understated. Having this program--and publicly posting these results annually--has differentiated Instructure from other SaaS providers, especially within the education technology space. We once again encourage all learning platform providers to be open and transparent in a similar way.

Most of all, having these has helped maintain platform security for everyone to grow and progress on their learning journeys. 

Keep learning,

Matt Hillary
VP of Security, Instructure