Instructure’s Proven Security Vulnerability Disclosure Program


Every year, the Instructure security team attends DefCon to learn together with the greater security community about ways we can improve our security posture. The security landscape is constantly changing--with new ways to break things in never-before discovered ways. Like any technology organization committed to security, we have our own things we’re working on to improve our defenses against things that might negatively impact your learning experience using our products. We do many things well, and we are always finding ways we can improve.

One talk that hit close to home was, Are Your Child's Records at Risk? The Current State of School Infosec, which covered “never-before-seen research into the handful of prominent educational software companies, the vulnerabilities that were found, the thousands of schools and millions of students affected, and the personal fallout of such research.”

Bill--who was merely 16 years old at the time--discovered and attempted to report his findings. In both cases, the way to disclose his findings was not easily discoverable and, when connection was made, Bill either didn’t receive the necessary and appropriate attention a security researcher would expect, or didn’t receive any response at all. In response to Bill’s talk, we’re happy to see that these companies are responding in kind, making the needed improvements and adding enhanced focus to improve their own security practices as a result. Organizations making security improvements is a win-win for all of us.

No technology company is immune to security threats. That’s why, when it comes to protecting students, the industry as a whole needs to work together to identify the best security practices. Whether it’s Instructure, our partners, or our competitors, we want to advocate the best practices and lead by example. 

The Instructure information security vulnerability disclosure program is hosted through Bugcrowd. We find Bugcrowd’s service to be extremely valuable and have found that no other provider has been able to match the level of support in this area. We’re pleased to report that Bill is the newest member of Instructure’s private bug bounty program. We were able to extend a personal invitation to him after his talk, and he provided us with his information to get him added.

Part of what we have done and will continue to do is work closely with security researchers to test our systems. We have multiple ways for these researchers to disclose vulnerabilities and we are committed to continuing our 24 hour initial response time to these research partners. Over the past three years through this program we’ve been able to work with this research community to identify and address hundreds of security alerts.

One thing that we do that no other learning journey software provider does is provide our annual Bugcrowd penetration results for all to see. Our latest report, covering calendar-year 2018, can be found here.

Lastly, we extend an invitation to all security researchers to join our bug bounty program, where we pay cash for findings. If you are interested in joining, please send us your Bugcrowd ID to

This way is just another way we demonstrate our commitment to taking the security of your data seriously.

Keep learning,

Matt Hillary
Vice President of Security, Instructure

Discover More Topics:

Stay in the know.

Subscribe to our blog and keep up-to-date with our latest insights, tips, and updates!