Back in 2011, Instructure started conducting annual open security audits. It may sound daunting, but it’s really pretty simple. We invite third-party security providers to look for potential vulnerabilities in Canvas. We proactively fix them, which makes Canvas safer and more secure for everyone. Then we we share the results online (as in publicly, with the world).
What was so special about this audit? For starters, we partnered with Bugcrowd to enlist the help of more than 60 top security researchers. To put that number in context, typical third-party security audits are performed by one or two researchers, who follow standard methodologies and use “tools of the trade.” Their results are predictable, consistent, and exactly what you’d want and expect from this type of service. This year, we wanted an audit that would produce “unexpected” results by testing our platform in unpredictable ways. And with dozens of the world’s top experts, plus Bugcrowd's innovative and scrappy crowdsourcing approach, that’s exactly what we got.
So while last year’s audit found six issues, this year’s process unearthed a startling 59. (Yeah, you read that right. Fifty-nine.) Witness the power of crowdsourcing an open security audit.
We’ve now resolved all 59 of these issues. We rolled out patches automatically as fixes were developed, so no action was required by our users, and they didn’t have to wait on their internal IT teams to schedule downtime to apply a patch set. The ability to resolve issues for everyone, everywhere, all at once is one of the great things about a cloud-based delivery model.
To keep the unexpected results (and continual improvements) pouring in all year, we’re extending our partnership with Bugcrowd. Starting today, security researchers can sign up for our new bug bounty program to receive cash rewards for confirmed findings. The bug bounty is just another part of our ongoing security program (in addition to our annual audits, monthly vulnerability scans, automated testing, internal research assessments, and public reports about known security issues).
No one or no LMS is perfect, but by demonstrating our commitment to security and transparency, we hope you’ll trust that we’re trying to be. Canvas is safer than ever, and we plan to keep it that way.
Q Wade Billings
Sr. Director DevOps and Security