We treat security issues in Moodle software very seriously. Even though we dedicate a lot of time designing our code to avoid such problems, it is inevitable in a project of this size that new vulnerabilities will occasionally be discovered.
We practice responsible disclosure , which means we have a policy of disclosing all security issues that come to our attention, but only after we have solved the issue and given registered Moodle sites time to upgrade or patch their installations.
We ask that when reporting a security issue, you observe these same guidelines, and beyond communicating with the security team, do not share your knowledge of security issues with the public at large.
Create a new issue in the Moodle Tracker, describing the problem (and solution if possible) in detail. If possible, step by step instructions to reproduce the issue are recommended, because the source of the problem is usually more easily identified, so the issue can be triaged more effectively. Make sure you set the security level accurately to ensure that the security team sees it. Bugs classified as a "Serious security issue" or "Minor security issue" are hidden from everyone apart from the security team and the person who reported the problem. If you are not sure whether an issue is a security issue, you should still create a new issue in the tracker for review, using the security level "Could be a security issue".
Alternatively, you can send an email to email@example.com, however this is less secure than using the Tracker.
Please do not post about security issues in the forums on moodle.org or elsewhere. This will cause the issue to be more widely known before a fix can be prepared.