Instructure Dismisses Broken Access Control Vulnerability Report After 11 Months

A security researcher reported a Broken Access Control bug to Instructure via Bugcrowd 11 months ago, also sending it directly to Canvas and Instructure without concern for bounty compensation. The report was ultimately deemed "not applicable." The vulnerability included screenshots demonstrating exposure of personally identifiable information (PII) of users in a course, which could have enabled privilege escalation via social engineering. Two months after the initial report, Instructure responded via email claiming they had no control over the affected domain, bootcampspot.instructure.com. No further actions were taken to address the reported security issue.