Five years ago, ClassDojo launched a Managed Bug Bounty engagement with Bugcrowd. ClassDojo’s public bug bounty program helps them continually assess the security of their web and mobile applications that are used by millions of teachers and parents worldwide. Over those five years, they’ve rewarded almost $100K to ethical hackers and found almost 200 vulnerabilities. We recently sat down with Dan Ford, Chief Information Security Officer at ClassDojo, to get a few insights into ClassDojo’s success.

Q&A with ClassDojo

Tell us a little bit about ClassDojo

ClassDojo is a global community of more than 50 million teachers and families who come together to share kids’ most important learning moments, in school and at home—through photos, videos, messages, and more.

What inspired you to launch your bug bounty engagement?

We launched our bug bounty program because we recognize that security is an ever-evolving challenge. Given that ClassDojo is used by millions of educators, students, and families worldwide, we wanted to take a proactive approach to security. By leveraging the expertise of ethical hackers, we can stay ahead of potential threats and reinforce our commitment to data privacy and safety. Crowdsourced security gives us access to a diverse range of skills, ensuring we catch a broad range of potential issues before malicious actors can take advantage of them.

What results have you experienced?

Bugcrowd and the ethical hacking community have been invaluable partners in helping us continuously strengthen our security. The breadth of expertise within the Bugcrowd researcher community means we get fresh perspectives on potential vulnerabilities, ensuring our platform remains robust against emerging threats. Bugcrowd’s structured approach to triaging and validating reports also helps us quickly prioritize and address security concerns, making the partnership highly effective.

The best result we’ve seen is that as researchers have identified issues over time, we’re able to find patterns that enable us to improve our overall approach to developing our product. Each vulnerability that comes in we take a step back and ask ourselves “how representative is this bug of other bugs we may have” and build strategies on how to holistically address bug classes within our code base.

Why do you keep working with Bugcrowd?

Bugcrowd stood out to us compared to competitors because of its strong track record, researcher diversity, and managed approach to bug bounty programs. Their platform streamlines vulnerability management, allowing us to efficiently assess and remediate security issues. Additionally, Bugcrowd’s community of ethical hackers includes top-tier researchers who bring a wide range of expertise, helping us cover more ground than we could with an in-house security team alone.

The experience working with Bugcrowd has been great for us so far. We started with a private program that yielded great results. Then last year we opened the program more widely and have seen even more submissions.

What are you the most proud of in your engagement?

We’re most proud of the strategic insights on how to improve our development practices and overall application security due to the steady stream of quality reports from researchers.

The biggest success from the program in general is that we’re able to proactively identify vulnerabilities before malicious actors can take advantage of them. We’re able to use the lessons we learn from our bug bounty program to improve how proactive we are both in catching vulnerabilities during the development process, but also in creating detections to spot the kinds of attacks Bugcrowd researchers highlight are possible. That way, even if we do miss a bug we’re still able to detect issues based on patterns researchers have shown us might be avenues of attack.

The hackers who help keep ClassDojo secure

Public bug bounty engagements like ClassDojo’s get attention from thousands of hackers daily. However, most programs end up having a few stand-out hackers who become specialists with the company they’re hacking for.

“Our best researchers are those like CriticalEdge and muhammad0xmostafa who not only submit detailed reports in a way that is easy for us to clearly see what the flaw is, but who also go the extra mile to test the limitations or opportunities exposed by the bugs they find,” Ford said.

We asked muhammad0xmostafa to comment why they are drawn to the ClassDojo program. They said, “I love the logic of the [ClassDojo] program and the features. I really enjoyed testing it.”

CriticalEdge also had great things to say about the ClassDojo program. “Overall, what kept me engaged with ClassDojo was my increasing familiarity with its application. Even finding small bugs during occasional visits kept me interested. It became the program where I had my first valid report, my first high vulnerability, and my first critical vulnerability. While I’m now exploring other programs, ClassDojo remains one that I frequently revisit.”

When asked why hackers should work on the ClassDojo engagement, Ford said, “If hackers are excited about education technology and an application that serves schools, teachers, parents, and students, then our program is a great one to work with.”