Thanks for this initiative.
Moodle security procedures are described here. Please do not post on forums about security vulnerabilities you have found! Also this is a good page describing different security practices and vulnerabilities.
There are a couple of things I'd like to say to the contestants:
1. If you use automated penetration tests
please make sure not to submit the raw results but instead go through the report and test each case to make sure it is not a false positive. For example, search forms do not need CSRF protection since search results can be linked to directly, however pentests report a form without sesskey as a security threat. Also keep in mind that pentests are not very helpful when looking for privilege escalation and many other types of vulnerabilities related to authenticated users.
2. There are users in Moodle who are allowed to insert scripts in the text fields. They have capabilities marked with XSS risk and they appear on the report Site administration > Reports > Security overview
in the section "XSS trusted users"
. Default "Student" role does not have such capabilities but default "Teacher" role has quite a few of them. If you want to report XSS vulnerability make sure that you can reproduce it as a user without capabilities marked with XSS risk.
3. Make sure to include reproduction instructions
in the reports about how the vulnerability can be used to attack other
users, compromise data or affect the site/server
4. And, of course, always use the latest supported versions
. Otherwise you may find the issue that was already fixed or an issue on a version that is out of support. At the time of writing the latest security-supported versions are: 3.1.11, 3.2.8, 3.3.5 and 3.4.2 . Check Version support
page for up-to-date information.
Looking forward seeing your reports and making Moodle even more secure and reliable.