There is a high demand for software developers and security professionals with strong software analysis skills. Currently, many students learn software analysis as an auxiliary exercise to their programming projects, and their experience is limited to white-box testing of applications that they or their peers have written. This type of experience does not give students a realistic or practical set of skills which they can immediately apply to more complex tasks. We describe our experiences with an information security course project in which students were tasked with discovering and analyzing software flaws in real software projects, giving students practical experience in flaw analysis and bug reporting. We discuss the focuses and goals of this project, including its emphasis on responsible disclosure, and the trends in student’s comfort with analysis techniques and tools.