FAQs

Is this a bug bounty program?

No. This program focuses on recognition and ethical disclosure.

Can organisations be recognised?

Yes. Both individuals and organisations may be listed.

Can I remain anonymous?

Yes. Recognition by alias or handle is supported.

What if I already disclosed publicly?

Public disclosure before coordinated remediation makes a report ineligible.

How long does remediation take?

Projects aim to resolve issues within three months, in line with the Open VSX Security Policy.

Where can I find the complete Open VSX Security Policy?

The Open VSX Security Policy can be found here

Ready to contribute?

Help strengthen the Open VSX Registry through responsible security research.