Moodle Security Procedures
We treat security issues in Moodle software very seriously. Even though we dedicate a lot of time designing our code to avoid such problems, it is inevitable in a project of this size that new vulnerabilities will occasionally be discovered.
We practice responsible disclosure, which means we have a policy of disclosing all security issues that come to our attention, but only after we have solved the issue and given registered Moodle sites some time to upgrade or patch their installations.
We welcome reports of security issues and will work with reporters to fix problems and publicise patches to Moodle users as quickly as possible.
How can I report a security issue?
Please "Create a new issue" in the Moodle Tracker. Bugs classified as a "Serious security issue" will be hidden from the general public until the security team is able to resolve it and publish fixes to registered Moodle sites (see below).
How can I keep my site secure?
It's good practice to always use the latest stable release of the version you are using. It is very safe to upgrade from 2.3.1 to 2.3.2+, for example, at any time. Git is a very easy way to do this.
How can I keep track of recent security issues?
- Register your Moodle site with moodle.org (visit admin/index.php in your installation to see the registration button), making sure to enable the option of being notified about security issues and updates. After your registration is accepted, your email address will be automatically added to our low-volume security alerts mailing list.
- Eventually, all important security issues are published to the general public via the forum on this page. You can subscribe to the RSS feed on this page to automatically add new issues in your favourite feed reader or portal. (Please note that security alerts prior to 2008 were made on a different site and do not appear here.) You can also follow moodlesecurity on Twitter.