The Open University regularly does penetration testing of our Moodle sites. and judging by the forum posts, other people do too.
Note that there are several common mistakes that secruity testers make when testing Moodle.
For example I bet they will tell you both:
- Moodle lacks XSRF protection.
- Moodle should not put the session identifier (sesskey) in the URL.