Slides used during Bugcrowd's 3/5/2015 webinar with Instructure, the innovative company behind Canvas Learning Management System. Learn why they turned to crowdsourced security, and how Bugcrowd's Flex program gave them great results.

2. Key Takeaways from
Instructure’s Bug Bounty
Program
Presenters:
Q. Wade Billings, Sr. Director of Global IT Shared Services : Instructure
Jonathan Cran, VP Operations : Bugcrowd

3. Your Presenters
• Q. Wade Billings, Sr. Director of Global IT Shared Services
Instructure
• IT leadership career spanning over 20 years. Held high level
positions with Excite@Home, lowermybills.com, Medicity and
most recently WorkFront (fka AtTask)
• Involved in the Utah InfoSec community with ties to
BSidesSLC and UtahSec.org
• Jonathan Cran, VP Operations Bugcrowd
• Security Assessment Startups. Leadership positions with
Rapid7, Pwnie Express, Metasploit.

4. About Instructure
• Instructure makes smart software that makes people smarter
• Instructure is a fast growing, education technology SaaS
company serving multiple global markets
• Our growth since launch in 2011
• 18+ million users
• 1,200 institutions under contract
• 500+ employees
• Global offices and five hosting platforms worldwide

5. About Bugcrowd
• Your Elastic Security Team
• Founded in 2012, based in San Francisco, 20
employees
• 15,000 Researchers, $400,000 in researcher payments
in 2014, 150 programs
• Provider of Crowdcontrol, the platform for Bug Bounty
and Flex Bounty programs
• We help you start and manage your bug bounty program

6. Annual Assessment
• We update our platform every three weeks and users
benefit from features and bug fixes.
• Starting in 2011, Instructure took a proactive approach to
security.
• We publicly published results after the first security audit
• When vulnerabilities were found, we fixed them and put
them into production as quickly as possible
• We even embedded a blogger to observe and document
the process!!

7. Why Bugcrowd?
• This year we wanted to take it a step further.
• Economics of bug bounties promised better results
compared to the traditional approach
• Large researcher community, strong engagement
• Flex bounty met the “Annual Assessment” format

8. Bugcrowd Flex
• Two week bug bounty
• Private with vetted researchers
• Top placed rewards (35%), Others (65%)
• Flex Bounty Report
• Access to researchers and management platform

9. Flex Reward Structure

10. Flex Process
• Step 1: Onboarding
• Step 2: Program opens to private, vetted researchers
• Step 3: Crowdcontrol removes duplicates and out of scope
issues, providing quick feedback to researchers
• Step 4: Customer Validates, Assigns Awards and Authorizes
Payments
• Step 5: Program Closes, Report Created, Report Delivered
• Step 6: Customer resolves and Researcher re-tests (if
requested)

11. Flex Process

12. Flex Results
• Instead of two or three security
researchers, we had 63+
researchers active during the test
• 10x the number of vulnerabilities
identified
• This is NOT because Instructure is
less secure - we have been doing
these open audits each year for
three years
• Each researcher comes at the
problem with a different perspective

13. Flex Results
• Stored XSS
• Sending messages
for unsubscribed
courses
• Encrypted Cookie
Store malleability /
Key-reuse
• https://blog.bugcrowd.com/increased-pen-test-results-instructure-flex/

14. Key Takeaways
• Security is a process, and you can benefit by being
transparent about your assessment process
• Flex bounties work! More, high-quality results by
engaging with the research community vs traditional
methods
• Bugcrowd is helping make the bug bounty programs
accessible to organizations
• Download the report: https://blog.bugcrowd.com/
increased-pen-test-results-instructure-flex/

15. What’s next
• We’ve launched a new ongoing bug bounty
program in partnership with Bugcrowd
• Our overarching goal is to create the most secure
learning and engagement platform for teachers
and corporate trainers across the world.
• We do this by being proactive and playing offense
when it comes to security, not defense.

16. Questions?