Our members are from different educational institutions all over the United States.
Combined we support over one million individuals.



Once upon a time a security researcher working in K12 reported a vulnerability. The corporation informed the researcher that the vulnerability already had a patch available. The researcher realized that the patch had been around for at least 24 months but no one knew about the patch, therefore, everyone was exposed.

The researcher warned of other potential issues in the software but was dismissed. So the researcher spent more time evaluating and testing the software. The researcher discovered a new vulnerability and wrote a PoC to exfiltrate sensitive employee data. The researcher notified the corporation following the 90 day responsible disclosure model and the corporation took the information, created a patch and released said patch within the allotted time.

Unfortunately, the messaging was poor and stated that the software contained a vulnerability but only a recommendation to apply the patch. There were no further details. Frustrated, the researcher spent more time evaluating the software. Finding many issues, some just as severe as the previous exploits. This time, the researcher contacted many other School Districts and users of the software, he was able to get everyone to agree to the terms of the embargo, and in unison, submit the latest discoveries.

Under immense pressure the corporation eventually released a statement that because of the risks, the software should be removed from the public internet with further steps to harden and protect it.

The above story illustrates what the community has been exposed to time and time again. You can substitue many different vendor’s names or dates in the story. But it is one that many of us know and are familiar with.

OpsecEdu’s goal is to help change this narrative.



Continue to build a respectful and cohesive community for Edtech to collaborate, share security strategies and vulnerability discoveries, and collectively fully disclose vulnerabilities to vendors so that vendors are held accountable and Institutions can act in the interim.


Create a scoring system where vendors or their products are given a rating so that IT Directors and Managers can quantify said risk into their product purchases and implementations.


Build a framework to teach any Organization in Education how to assess and quantify risk in regard to InfoSec. Answering questions like “What is the value of my infrastructure and data to these types of bad actors (Nation States, Wholesalers, etc)? How likely am I to be hacked? How much budget should I divert to InfoSec and what is my ROI?”


Further the privacy conversation for our students. "How much data is too much and what 3rd parties are we giving it to? If we never delete user data, what risks are our organization and users exposed to?"


April Mardock

Information Security Manager @ Seattle Public Schools

Nathan Mcnulty

Security Architect @ Beaverton School District

Executive Director

Jared Folkins

IT Engineer @ Bend La Pine Schools


John Gates

CISSP, Security Analyst

Jessy Irwin

Head of Security @ Tendermint

Jay Lagorio

Senior Technical Advisor @ US Department of Defense

Kyle Isom

Engineering @ Dropbox

Michael Esparza

Senior IT Security Analyst @ Texas A&M University System

Doug Levin

Founder @ EdTech Strategies LLC

Travis Paakki

Interim CTO @ Portland Public Schools

David Millians

System Administrator @ Oconee County Schools

Sean O'Brien

Lecturer & Researcher @ Yale Privacy Lab

Dorothea Salo

Educator, Preservationist, Privacy Advocate @ University of Wisconsin at Madison

Nick Vissari

Data Architect & Security Manager @ Howard County Public School System

Rob McCartney

Director of Techonlogy @ Sioux Central CSD

Mark Kosier

Chief Information Officer @ Tech Equation