INTRODUCING

Open VSX Security Researcher Recognition

Recognising responsible security research and reporting that strengthens the Open VSX Registry and ecosystem

The Open VSX Registry is critical modern developer infrastructure

As the registry grows in scale and adoption, so does its responsibility to protect developers, extension consumers, and the open source ecosystem.

The Open VSX Security Researcher Recognition Program provides a clear, ethical pathway for reporting security vulnerabilities, and publicly recognising responsible disclosure that strengthen the Open VSX ecosystem.

Why this program exists

Extension registries are now part of the active threat landscape. Recent industry incidents have shown how extension ecosystems can be exploited to distribute malware, compromise developer environments, and harvest sensitive data.

While the Open VSX team has acted quickly and transparently when issues were reported, some discoveries were disclosed publicly or routed elsewhere before reaching the project directly. This creates unnecessary risk and slows remediation.

The Open VSX Security Researcher Recognition Program exists to close that gap by:

Encouraging early, responsible disclosure
Strengthening the Open VSX security posture
Building trust with the security research community
Providing a clear reporting path
Recognising meaningful, ethical contributions

How the program works –>

Who should participate

The program is open to anyone whose work helps make Open VSX more secure, including:

If your research identifies a genuine security issue affecting the Open VSX Registry or ecosystem, we want to hear from you.

What you'll receive

Eligible contributors may receive:

Recognition is based on impact, collaboration, and responsible disclosure.

View recognition levels –>

Ready to contribute?

Help strengthen the Open VSX Registry through responsible security research.

Report a vulnerability