On September 19, the Center for Long-Term Cybersecurity (CLTC) Public Interest Cybersecurity Program hosted the EdProtect Cybersecurity Research Symposium, in Washington, D.C. The symposium was the second part of EdProtect, a two-part initiative co-led by CLTC, the Hacking Policy Council, and Bugcrowd.
The initiative consisted of:
- a virtual “bugbash,” a collaborative effort to identify vulnerabilities, focused on education technology (edtech) software products, and
- a research symposium to review and discuss the results.
EdProtect was designed to explore whether offering “bug bounties” — financial awards for finding software vulnerabilities — could complement existing security programs and contribute to better security outcomes for edtech software manufacturers. While most vendors serving K-12 school districts primarily rely on penetration testing, few have experimented with bug bounty approaches.
At the one-day symposium, students from three colleges presented the vulnerabilities they discovered in edtech products offered by Skyward, a leading provider of software-as-a-service (SaaS) products used in K-12 schools across the U.S. The vulnerabilities were discovered during a July 2025 live-hacking event run by Bugcrowd, a company specializing in bug bounty and vulnerability disclosure programs.
During the symposium, the students explained the methods they used to discover the bugs, and leaders from Skyward doled out awards to the students. The event showcased how collaborative vulnerability disclosure programs (VDP) like bug bounties can strengthen the security of edtech software — and better protect the students and schools that rely on it. This project was made possible by the generous support of Okta and Craig Newmark Philanthropies for CLTC’s Public Interest Cybersecurity program.
EdProtect at a glance:
- Over 30 previously unknown vulnerabilities were discovered in Skyward products, with 70% of vulnerabilities receiving a “medium” severity rating.
- $20,000 in bounties were awarded to student and professional security researchers.
- Skyward leaders said that this bug bounty live hacking event delivered more insights than seven years of traditional penetration testing.
- 25 students gained their first experience contributing to a bug bounty program, receiving hands-on training, mentorship, and monetary rewards for their efforts.
- Two security researchers delivered presentations on their bugs directly to Skyward’s executive team and IT staff. The audience also included representatives from the Department of Education, the Office of the National Cyber Director, and other edtech vendors.
The results
In July, Bugcrowd hosted a BugBash — a short live-hacking event where a team comes together to rigorously test a product and find as many bugs as possible within a limited time frame — on behalf of Skyward, a Wisconsin-based edtech company and one of the largest providers of student information systems (SIS) and enterprise resource planning (ERP) software to K-12 schools. Skyward’s products are designed to help manage critical K-12 school functions, including attendance, bus routing, lunch information, learning and grading systems, staff management, and finance.
Over a three-week period, 25 cybersecurity students from George Mason University, Rochester Institute of Technology, the University of Maryland, Baltimore County, and Christopher Newport University, along with two professional security researchers, tested two of Skyward’s products within a secure, isolated testing environment. They discovered more than 30 previously unknown vulnerabilities, 70% of which were rated as medium severity or higher (with the remaining 30% rating as low severity). $20,000 in bounty rewards were distributed to participants for their efforts.
“The amount of insight that we got from this testing surpassed all the other pentesting we’ve done.”
Mike Bianco, VP of Information Security at Skyward
For the past seven years, Skyward has relied on a rotating set of third-party firms to conduct penetration testing on its products. While this approach has worked well and kept fresh eyes on their software products, EdProtect marked the company’s first experience with crowdsourced testing – and the results exceeded their expectations.
At the symposium, Ray Ackerlund, Skyward’s President, and Mike Bianco, VP of Information Security, explained why this bug bounty experience surpassed traditional pentesting they had run in the past. “The amount of insight that we got from this testing surpassed all the other pentesting we’ve done,” said Mike Bianco, VP of Information Security at Skyward.
The primary reason, they explained, was the high-quality documentation produced by the researchers, which they said was in-depth, comprehensive, and easily shareable with developers, reducing the burden on Skyward’s IT staff to explain the scope and significance of the bugs to developers. Skyward appreciated how Bugcrowd required researchers to provide adequate documentation when submitting their work, and how they followed up with researchers to fill any gaps and request additional details.
Comparing the BugBash experience to traditional pentesting, Skyward noted that there was greater creativity, diversity, and quantity in the bugs submitted. Another difference was the direct interaction with researchers during the symposium, which provided new visibility into how bugs were discovered and allowed for a productive back-and-forth dialogue with the Skyward IT team.
A one-of-a-kind cybersecurity workforce development opportunity
EdProtect was designed in part as a workforce development opportunity for student hackers interested in careers in good-faith security research and public service. As a founding member of the Consortium of Cybersecurity Clinics, CLTC believes strongly in the power and effectiveness of student-led contributions for protecting critical infrastructure and closing cybersecurity resource gaps. Empowering students to help secure K-12 schools is a natural extension of that mission.
While many of the students participating in the BugBash had prior experience with Capture the Flag (CTF) competitions, none had previously participated in a formal bug bounty program focused on securing real-world products. To support them before and during the EdProtect live hacking event, an experienced Bugcrowd hacker led weekly training sessions on bug bounty hunting techniques and ethical hacking, guiding the students on how to apply and translate their CTF skills.
At the event, the security researchers had a unique opportunity to present their findings directly to Skyward’s executive and IT teams, and to participate in a live Q&A with other edtech leaders in the audience.
Each student received a commemorative certificate acknowledging their participation, along with 15 Continuing Professional Education (CPE) credits, which are applicable toward cybersecurity certifications and class credit. Bugcrowd presented special awards for “Most Impactful Submission,” “Most Unique Submission,” “Most Detailed Report,” and a “Student Bonus” recognizing ingenuity, unique thinking, and impact in a submission.
A game-changing partnership between students, academia, industry, and edtech
The EdProtect Cybersecurity Research Symposium is the continuation of CLTC’s continued efforts to improve the state of cybersecurity in K-12 schools. The initiative began in October 2024 with the Partnership to Advance Cybersecurity in Education (PACE) Forum, an event co-hosted by CLTC and the U.S. Department of Education that brought together 12 major edtech software manufacturers to discuss ways to enhance the cybersecurity of critical software used in K-12 school districts across the U.S.
The event sought to encourage vendors to adopt “secure-by-design” and “secure-by-default” product design practices, thus shifting the burden of defense from edtech customers onto the edtech industry. The forum highlighted that, while edtech software manufacturers are uniquely positioned to improve cybersecurity outcomes for K-12 schools by integrating more security features into their products, they face significant technological and cultural obstacles – both within their own organizations and among their customer base – to configure these features by default and require their use.
“So much of our critical infrastructure is owned and operated by private-sector entities. In education, it’s really just a few student information systems. There are three or four that cover the entire market. We don’t need to change the practice of 14,000 school districts. We need to change the practice of four or five vendors….This could have a dramatic impact on the security of our schools and our students.”
Michael Klein, CLTC Nonresident Fellow and former Senior Advisor for Cybersecurity of the U.S. Department of Education.
Following the forum, CLTC set out to create an opportunity for edtech vendors to “test drive” a formal bug bounty program. Bug bounty programs are increasingly used to enhance product security across various industries by engaging and rewarding independent security researchers for identifying and responsibly reporting vulnerabilities before they can be exploited. This creates incentives for good-faith hackers, enabling companies to harness their talent and only pay for outcomes. However, many companies hesitate to adopt bug bounty due to concerns about risk, the high cost of entry, and a lack of awareness about the value these programs can deliver.
Recognizing that most vendors serving K-12 school districts primarily rely on penetration testing to stress-test their products and organizational security, and that few have implemented bug bounty programs, CLTC launched EdProtect, with the intended goal of exploring whether bug bounty could complement existing security programs and contribute to better security outcomes for edtech software manufacturers. Part of the goal of the initiative is to produce evidence that could inform change in the edtech industry for the benefit of K-12 school districts that rely on this technology.
Securing edtech participation
“I understand why some companies are so afraid to try [bug bounty programs]. It’s always that element of vulnerability, like, ‘Oh, what are they going to find? […] What’s the risk that we’re taking [on]?’ …As I looked at it and understood it more, it was something that we recognized was really important to us.”
Ray Ackerlund, President, Skyward
Two factors made Skyward interested in participating in the EdProtect bug bounty program. First, their IT team has a strong relationship with executive leaders, who recognize cybersecurity as vital to the business and are willing to engage openly on the issue. Skyward’s leaders recognize that cyber risk is a growing concern for school districts, and they sought to take proactive steps to enhance security for their customers.
Second, Skyward had trust in the EdProtect partnership due to previous engagement with CLTC through the PACE Forum. This made EdProtect and the Bugcrowd program stand out among solutions asa credible initiative grounded in the public interest. “Being involved with the Center for Long-Term Cybersecurity, and previously with the Department of Education, gave a lot more trust for us to move forward. That probably was one of the biggest reasons why we were most open to doing this,” Bianco said.
“Being involved with the Center for Long-Term Cybersecurity, and previously with the Department of Education, gave a lot more trust for us to move forward. That probably was one of the biggest reasons why we were most open to doing this.”
Mike Bianco, VP of Information Security at Skyward
What ultimately helped Skyward take the leap was their commitment to reducing risks for their customers, coupled with the belief that participating in the EdProtect initiative could spark positive change across the edtech industry by encouraging other vendors to embrace crowdsourced security.
“We were extremely pleased and very honored to be involved with this, and we really hope it sets the stage for this type of process to continue across the industry and not just help the edtech vendors,” Ackerlund says. “But that next piece now is then even getting it into the actual K 12 environment, because they’re the ones that are at the greatest risk.”
Next Steps
CLTC, the Hacking Policy Council, and Bugcrowd concluded EdProtect with a series of breakout sessions designed to explore next steps.
Students considered their own futures in the bug bounty space by participating in a training led by Ads Dawson, a veteran bug hunter who is currently Staff AI Security Researcher at Dreadnode. Dawson shared his journey into bug bounty work, strategies for making the leap from CTF to professional bug bounty careers, and how to cultivate a hacker mindset.
At the same time, representatives from Skyward, Bugcrowd, CLTC, the Hacking Policy Council, ONCD, the Department of Education, and other edtech vendors convened a roundtable to discuss how bug bounty programs could become the norm in the edtech industry. Their discussion centered on how policymakers, school districts, and industry coalitions can encourage and support the edtech sector to adopt secure-by-design practices and establish collaborative VDPs like bug bounties.
Participants explored the incentives that might motivate vendors, the potential market advantages of adoption, and the trade-offs or risks that companies must weigh. The session closed with reflections on how policy leadership at the federal, state, and school district levels could spark industry-wide change.
“We were extremely pleased and very honored to be involved with this, and we really hope it sets the stage for this type of process to continue across the industry and not just help the edtech vendors. But that next piece now is then even getting it into the actual K 12 environment, because they’re the ones that are at the greatest risk.”
Ray Ackerlund, President of Skyward
The success of EdProtect shows that collaborative vulnerability disclosure programs like bug bounty are both well-suited to the edtech sector and can have a big impact. The next step is for more edtech vendors to take the leap — and for policymakers and vendors to help lead change in the industry to ensure that the technology supporting America’s schools is safe and resilient.
