Bugcrowd Blog

Increasing pen test results by 8x: The Instructure Story

Posted by Bugcrowd on Feb 5, 2015 3:04:00 AM

Since 2011, Instructure has proactively publicized the results of their annual penetration test reports to provide transparency around the security of their learning management system. From 2011 to 2013, these pen tests discovered an average 7.6 valid vulnerabilities each year.

Instructures_yearly_pen_test_results (1)

For its most recent annual penetration test, Instructure engaged Bugcrowd in a private Flex program, which yielded over 8 times the results (59 valid findings) of traditional pen tests run in previous years.

Download the full Report - Learn about the 59 valid findings

Flex is Bugcrowd’s crowdsourced penetration test that allows companies to harness Bugcrowd’s Elite researchers from a pool of more than 14,000 participants.


Progressing security standards through public vulnerability disclosure

Instructure is the company behind Canvas, an open-source learning management system that is not only revolutionizing the way we educate, but progressing security standards as well. Each year, Instructure has published the details of each penetration test report on their security page, which is available for public download. Their security team fixes every valid vulnerability discovered in each year’s report to ensure the integrity of their management system.

By proactively going above and beyond standard security measures, Instructure is ensuring its customers a more secure product.


How they did it

Flex provided Instructure with an increased number of skilled researchers from their prior pen tests, yielding unparalleled results. For two weeks, Bugcrowd’s top 100 security researchers tested Instructure’s application.

The results:

  • Testing Period: 2 weeks
  • Researchers: Bugcrowd’s Top 100
  • Valid Submissions: 59 (9 high severity)
  • Total Submissions: 322

“The cybersecurity landscape is an ever evolving one, so we knew we had to do something different, something innovative with this year’s audit, and that is what Bugcrowd offered us.” said Q. Wade Billings, director of global operations and security for Instructure.


How does a Flex program work, you ask?

Bugcrowd’s in-house validations team reviews and reproduces each submission disclosed by its security researchers during the testing period, which totaled 322 for Instructure’s Flex program. Upon completion of the testing period, Instructure received a streamlined report (which you can download) highlighting the valid vulnerabilities discovered.

With Flex, companies can select any number of researchers required to meet their testing needs. A variety of professional skillsets are represented in Bugcrowd’s Crowd of more than 14,000 researchers, which means companies can select those who are skilled in specific testing fields, including mobile, IoT and network security among other specializations.


Get the full report - Learn about the 59 valid findings


Running Your Own Program, Case Studies

Written by Bugcrowd