Hack This System! Instructure’s Security Challenge to Hackers

Big Data

Hack This System! Instructure’s Security Challenge to Hackers

By Charley Locke     Mar 3, 2015

Hack This System! Instructure’s Security Challenge to Hackers

Just try to get into Canvas, hackers: Instructure dares you to.

That’s the idea behind the Salt Lake City, UT-based edtech company’s newest security program, in which Instructure pays hackers to find flaws in Canvas, the company’s learning management system software.

Since 2011, Instructure has conducted and published an annual independent review of their security protocols. CEO Josh Coates is quick to note that although Instructure invites competitor learning managements systems to participate in the public security audits, no one is up for the challenge. “Everyone else’s security reports are secret,” Coates tells EdSurge. “Secrets are bad--let’s be real about this.”

This year, instead of hiring a security auditing company to test its system, Instructure decided to try something different. Wade Billings, senior director of IT shared services at Instructure, sees the increasing concerns about student data privacy--and financial value of personal information--as a call to action. “It wasn’t good enough to just do these assessments every year,” he explains. “So we decided to get a little crazy.”

In November 2014, Instructure partnered with Bugcrowd, and offered a “bug bounty” from a pot of $10,000 to “ethical hackers,” in the words of Billings, who could find flaws in the system. “These are people that are very much in the same mindset as those that wish to do us harm,” Billings says. “We’re hiring the skill set and the mindset, but not the motive.”

When a researcher found a flaw, he or she would give documentation to Bugcrowd, who would pass it along to Instructure’s engineering team. Instructure then addressed these security flaws--none of which were critical, according to Billings--within days. Because Canvas is a cloud-based LMS, it is able to deploy fixes immediately, rather than deliver them in a service pack for administrators to deploy.

And the campaign showed results. In previous annual security assessments, two or three analysts would find five or six security flaws each time, according to Billings. The 60 researchers selected by Bugcrowd found 59 security issues over two weeks, all of which have now been resolved by Instructure. The $10,000 pot was allocated to researchers based on severity of bugs found.

Because of its success, Instructure decided to keep going, implementing a private ongoing program with Bugcrowd. “It’s not good enough to be doing this just once a year,” says Billings. “We need constant adaptive vigilance--we want to be constantly assessing ourselves.”

This means that any security researcher can submit his or her Instructure security findings to Bugcrowd, which will evaluate its validity. Instructure will then decide whether the flaw finding merits payment. Since the start of the ongoing program on February 24, there have been six validated and certified reports.

According to Billings, there has never been a verified breach of security at Instructure. So, why the hyper-vigilance? As he sees it, “the best defense is a good offense,” especially when it comes to personally identifiable information about students.

Yet Billings concedes that for hackers, who largely get into sites for “a badge of honor or street cred,” publicly publishing security assessments has its risks. “The risk is that someone looks at that and says, oh, challenge accepted,” admits Billings. “You’ve potentially put chum in the water.”

But he sees the reward as worth the risk. “One of our core tenets is openness,” Billings says. “So we don’t just say that we’re secure, we actually attempt to put proof out there that our words are actually followed up with actions, so we’re held accountable by our customers.” He hopes that Instructure’s active steps towards security will reassure customers about the privacy of their students’ data--and that it will “encourage customers to abandon their legacy LMS and come to Canvas.”

Billings encourages all companies--in edtech or otherwise--to take on similar security precautions. “It’s important with any information where someone could be harmed if the information got out into the world,” he says. “Companies are scared of hackers, lurking in the shadow of the Internet--they instill fear because you don’t know where they’re coming from.” As Billings sees it, “That’s why you want people who have the same mindset on your side. It’s the vulnerabilities you don’t see that are going to get you--the more eyes you have looking on your behalf, the better off you are.”

Learn more about EdSurge operations, ethics and policies here. Learn more about EdSurge supporters here.

More from EdSurge

Get our email newsletterSign me up
Keep up to date with our email newsletterSign me up