Have you identified a potential security issue on a site or infrastructure owned or managed by Moodle?
If so, please report it directly to the Moodle HQ Incident Response team using our Incident Response Submission Form. This process is specifically for security-related incidents and should not be used for general support requests, bugs, or non-security concerns. This applies to all Moodle-managed platforms. This includes, but is not limited to, moodle.com, moodle.org, moodlecloud.com, and all their subdomains. For a complete list of covered platforms, please refer to status.moodle.com.

Examples of reportable events include, but are not limited to:

  • Suspected or confirmed data breaches
  • Exposure or leakage of sensitive information
  • Unauthorised access or account compromise
  • Malware, phishing, or other malicious activity
  • Spam or suspicious messages within the community that may indicate abuse or compromise
  • Unusual system behaviour that could indicate a security issue
  • Misconfigurations that could lead to security risks

For more information regarding reportable events please refer to the NIST Special Publication 800: Incident Response Recommendations and Considerations for Cybersecurity Risk Management.

Report it here: Incident Response Submission Form. Please note this form is not used for submitting security vulnerability reports relating to Moodle products such as Moodle LMS. Product-related security reports can be submitted via: Moodle.org: Reporting a security issue

What happens after a form is submitted? 

Once a form is submitted, the following process occurs:

  1. Form Submission: The report is sent.

  2. Moodle's InfoSec Review: Moodle’s Information Security team reviews the submitted ticket and coordinates necessary remediation steps.

  3. Action and Communication: This includes taking required actions, communicating with impacted users, and updating the report associated with the ticket.

Cybersecurity is everyone’s responsibility. If something doesn’t look right, we want to know about it — even if you’re unsure whether it qualifies as an incident. You will never be penalised for reporting in good faith. Early reporting helps us respond quickly and reduce potential impact. When in doubt — report it! 

Последнее изменение: пятница, 8 мая 2026, 23:54