Not a security expert but have seen this repeatedly coming up in the security forum. See for example How to prevent session hijacking in Moodle. The argument is that to hijack the hacker have to have access to a valid session ID, means he had access any way.
Either way, security findings needs to be submitted secretly. The proper place is https://moodle.org/security/report/. See this and other information published in the Security and privacy forum.