canvas-lms has a private Bug Bounty program in Bugcrowd. If you would like to submit a vulnerability, please email security@instructure.com with the email address of your Bugcrowd researcher account and we will add you to the program. We will reward valid submissions according to our pay scale defined in Bugcrowd. For more information on our Vulnerability Disclosure program, please visit https://www.instructure.com/products/canvas/security