Moodle is a B-Corp and a purpose-first organisation driven by our mission, open source philosophy and implementing practices that consider the impact on students, learners, educators, employees, customers, society, and the environment.
We remain, as ever, committed to Moodle LMS as an open source platform. A defining characteristic of our open source values and practices is our pledge to build a secure learning management system that protects the privacy and security of learners’ and employees’ data.
Hacking and viruses have been a reality since the earliest days of modern computing and as technology has developed, so too have security risks. Much of this is due to the fact that more data is at risk, particularly as larger institutions, such as universities and governmental agencies harness the benefits of technology.
The crucial data stored on computers means more valuable information for hackers and more high profile cases of security breaches. National Computer Security Day raises awareness of the importance of online security and making sure your data is safe.
Control over your data
Hundreds of thousands of educational institutions, organisations, governments, and hundreds of millions of learners use Moodle daily. We provide them with the tools to ensure that their data, information and operations are secure and protected.
At Moodle, we never have and will not collect, use or monetise any student data or anyone’s personal information from any of the thousands of Moodle sites that exist worldwide.
As an open source platform, an organisation or education institution’s choice to use Moodle LMS as its learning management system is separate from its choice of a service provider. This means anyone using Moodle LMS can use their own or other resources for hosting and support or obtain assistance from a Certified Moodle Service Provider. This freedom gives them complete control over their users’ data, including how and where they run their Moodle sites.
Security by design
Moodle’s development practices include security by design. This means that we embed a security mindset right from the outset in all software development to ensure the delivery of a secure platform.
Unlike proprietary software, where the code is hidden and bugs might be exploited, the Moodle community constantly monitors the source code and collaborates to make it more secure through public, well-established processes. Any bugs are detected and fixed quickly, reducing the impact of vulnerabilities and security breaches. To protect all of our users, we practise responsible disclosure, which means we publicly announce issues that come to our attention only when fixes are available, and after registered Moodle sites have had time to upgrade or patch their installations. (This is distinct from our GDPR obligations which we adhere to separately.)
Moodle is used widely in the military, banking, and other high-security environments. These organisations frequently conduct penetration testing and share their findings with our core team.
Our fixes are reported globally through the global CVE network and applied to past supported releases to ensure they reach as many sites as possible.
We’ve also set up a security program with Bugcrowd that enables global security researchers to test our platform continuously, easily submitting any security issue through our Vulnerability Disclosure Program.
What you can do on National Computer Security Day
While our privacy features ensure that Moodle is GDPR compliant and adheres to local privacy legislation, some responsibility for compliance and safety rests with the organisation that controls each Moodle installation. On this National Computer Security Day we encourage organisations to implement security measures for their Moodle installation and:
- write multiple policy documents (including site policy for guests) so that they can be completely transparent with their learners, educators and anyone who visits their site on how they collect, use or disclose their data;
- protect digital minors with age-of-consent checks and manage access for minors who require parental agreement to access their learning management system;
- handle all data requests from learners and keep track of retention periods in a centralised place; and
- enable users to easily request access or download their data, to see the policies they’ve agreed to and appoint a Privacy officer role to manage subject access/deletion requests from such users centrally.