Bugcrowd Helps Schoology Keep Students' and Teachers’ Data Safe

Security at Schoology

Schoology brings together the best K-12 learning management system with assessment management to improve student performance, foster collaboration, and personalize learning.

Used by millions of users around the world, it combines dynamic learning management, an easy-to-use collaborative interface, and next-generation API integration into one innovative solution. Schoology transforms learning into a media-rich interactive experience where students, teachers, parents, and administrators work together to raise student achievement worldwide.

Security has been part of Schoology’s DNA from the beginning. However, like many other organizations, Schoology realized the evolving nature of security threats and starting looking for innovative ways to address these challenges.

Schoology turned to Bugcrowd to implement a crowdsourced security program, assisting the team in keeping the safety and security of its users intact. Schoology now aligns application testing efforts with its development cycle, giving the team the confidence the code released to millions of users achieves the highest industry standards in cybersecurity.

Cybersecurity and Classroom Education

As schools transition away from paper, textbooks, and projectors, there’s a growing opportunity for new tools and platforms geared toward educators. Funding for ed-tech startups is skyrocketing, estimated to have hit $1.45 billion last year, according to CB Insights. These tools engage students and enrich their education — not to mention expand educators’ toolbox. However, like anywhere else the introduction of new technologies into the classroom also expands the attack surface.

In 2017, the education sector accounted for 13 percent of all data breaches, resulting in the compromise of an estimated 32 million records. Although educational institutions may not seem as wealthy or as target-rich as financial organizations, they do house a great deal of sensitive PII, as well as valuable proprietary research data.

Nearly three-quarters (70 percent) of cybersecurity incidents in education are motivated by the possibility of financial gain, according to Verizon’s 2018 Data Breach Investigations Report (DBIR). One in five attacks on educational institutions were motivated by espionage, often targeting sensitive research, and 11 percent of attacks are “just for fun,” according to the report. Schoology and the schools they partner with work together to protect the online privacy of all of every school community member using Schoology, including students, parents, teachers, and administrators.

Evolution of Schoology’s Program Over Time

Over the last few years, Schoology has learned more from each iteration of its crowdsourced security program. When the company first began its partnership with Bugcrowd in 2015, it launched a continuous bug bounty program that didn’t yield the results they were initially looking for.

With Bugcrowd’s team of enterprise security and hacker engagement experts, Schoology was able to find creative ways to keep the program fresh. Between rotating researchers and introducing the concept of focus areas to our brief, Schoology increased the programs overall activity — and results.

Today, Schoology runs a private Bug Bounty Program and a Vulnerability Disclosure Program. Thanks to Bugcrowd’s continued coaching and flexibility, Schoology has been able to constantly revamp its programs to get some of the most informative and productive reports since Schoology introduced crowdsourced security testing into the organization.

Bugcrowd continues to provide agile support to accommodate Schoology’s changing needs in order for the company to continue to see ROI. Due to an ongoing partnership and regular program reviews, the team built trust and credibility, giving Bugcrowd a consultative role and positive outcomes

Bug Bounty Program Results

With Bugcrowd, Schoology has extended its application security testing efforts. This has given the team more confidence in its platform and releases. It is important that Schoology continues to be a platform that users trust. Bugcrowd has helped to ensure that this is the case.

Bugcrowd’s program has also helped Schoology to recognize educational opportunities for the engineering team and ways to make processes around security more stringent and efficient. Over the course of their programs, they have been able to maintain strong engagement across targets.

Working with Bugcrowd — Measuring Results

Managing crowdsourced security can be a complex process — knowing you have a partner to walk with you every step of the way is imperative. Bugcrowd has the largest, most experienced team for managed programs — 4x more experience managing bug bounty programs than any competitor.

• Comprehensive onboarding at program outset: the resulting program briefs drive great accurate, actionable submissions with less noise
• Expert triaging means no clean-up work for the security team (before they can forward to development – this means both less work and faster fixing)
• Our acceptance rate from triage to resolution is more than 92%.

Bugcrowd also provides platform and program education and best practices on how to use the platform, interacting with researchers, determining reward amounts, and defining success metrics and customer goals to drive toward. Bugcrowd works collaboratively with customers to ensure a healthy bounty throughout the lifetime of the program, making ongoing recommendations regarding program brief, reward ranges, addition of researchers, and when to take a program public.