Security policy
1. Purpose and governing documents
This Security Policy governs the reporting and handling of security issues relating to Open VSX in its distinct roles as: (i) the Open VSX open source project and codebase; (ii) the public Open VSX service operated at https://open-vsx.org; and (iii) the hosting and moderation of extensions published to the public registry by third-party publishers.
This Security Policy shall be read together with the Open VSX Terms of Use, the Open VSX Publisher Agreement, the Eclipse Foundation Security Policy, and, where personal data is implicated, the Eclipse Foundation Privacy Policy. Where a more specific policy, agreement, or repository-level security document applies, that document shall control. In all other cases, the Eclipse Foundation Security Policy shall serve as the baseline framework.
2. Non-public reporting
Undisclosed security vulnerabilities must not be reported publicly. Do not disclose such issues in public issue trackers, pull requests, discussions, mailing lists, chat channels, social media, or other public forums.
Security vulnerabilities affecting the Open VSX codebase or the operation of the public service must be reported through the private channels identified below.
3. Scope
3.1 In scope
The following matters are within the scope of this Security Policy:
- Vulnerabilities in the Open VSX open source codebase, release artifacts, and project-maintained components;
- Security issues or vulnerabilities affecting the deployment, configuration, infrastructure, integrations, or operation of the public Open VSX service at https://open-vsx.org;
- Abuse, malicious behavior, or policy violations involving extensions or publishers in the public Open VSX registry, including suspected malware, undisclosed data collection, materially misleading listing information, publisher or namespace abuse, and other conduct that may violate the Terms of Use or the Publisher Agreement.
3.2 Out of scope
The following matters are outside the scope of coordinated vulnerability handling under this Security Policy:
- Vulnerabilities confined to the code of a third-party extension, where the issue does not affect the Open VSX codebase, the Open VSX service, or compliance with the Terms of Use or Publisher Agreement;
- Self-hosted, private, or third-party deployments of Open VSX that are not operated by the Eclipse Foundation at https://open-vsx.org;
- Vulnerabilities in third-party services, software, or infrastructure not maintained or operated as part of Open VSX, except to the extent that such vulnerabilities create a direct vulnerability in the Open VSX codebase or the Eclipse Foundation-operated public service;
- General bug reports, feature requests, compatibility issues, publisher onboarding questions, extension support requests, and other non-security matters.
4. Reporting categories and contact points
4.1 Vulnerabilities in the Open VSX open source codebase
If you believe you have identified a vulnerability in the Open VSX source code, release artifacts, or other project-maintained components, you must follow the reporting instructions set out in the Open VSX project security policy:
As provided there, reports may be submitted through the Eclipse Foundation Security Team at security@eclipse-foundation.org or through the confidential vulnerability reporting channel identified in that policy.
4.2 Security issues affecting the public Open VSX service
If you believe you have identified a security issue or vulnerability in the deployment or operation of the public Open VSX service at https://open-vsx.org, you must report it by email to:
security@open-vsx.org
This category includes, without limitation, issues involving production infrastructure, runtime configuration, authentication, authorization, secrets handling, service-side integrations, and other deployment-specific weaknesses affecting the Eclipse Foundation-operated service.
4.3 Abuse, malicious behavior, or policy violations involving extensions or publishers
If your report concerns an extension or publisher, rather than the Open VSX codebase or the Eclipse Foundation-operated public service, you must report it to:
security@open-vsx.org
This category includes, without limitation, suspected malware or other malicious code in an extension, undisclosed or misleading data-collection practices, materially misleading listing information, publisher or namespace abuse, and other conduct that may violate the Open VSX Terms of Use or the Open VSX Publisher Agreement.
4.4 Uncertain classification
If you are unsure whether a matter concerns the Open VSX codebase, the Eclipse Foundation-operated public service, or an extension or publisher, report it privately rather than publicly. If the issue may affect the public service, or if you are uncertain whether it constitutes a vulnerability, send the report to security@eclipse-foundation.org. If the matter clearly concerns an extension or publisher, send it to openvsx@eclipse-foundation.org.
5. Information to include in a report
To assist in triage and investigation, please include as much of the following information as reasonably possible:
- The nature of the issue;
- The affected component, extension, publisher, namespace, or service area;
- Affected versions, releases, or relevant dates;
- The observed or reasonably anticipated impact;
- Reproduction steps, where applicable;
- Relevant URLs, extension identifiers, publisher names, repository references, or other identifying information;
- Logs, screenshots, or other supporting evidence; and
- Proof-of-concept material only where necessary and safe to provide.
Please provide only the information reasonably necessary to understand and investigate the matter.
6. Handling and disclosure
Reports concerning vulnerabilities in the Open VSX codebase or the Eclipse Foundation-operated public service will be handled in a manner consistent with the Eclipse Foundation Security Policy, including private triage, coordinated handling, and disclosure in accordance with the applicable process.
Reporters can generally expect an acknowledgement within 2 business days. Each report will be reviewed and validated by the Open VSX Security Team, which will coordinate remediation where appropriate.
The Open VSX project does not offer a bug bounty program; however, security researchers who submit good-faith reports may be eligible for recognition through the Open VSX Security Researchers Recognition Program.
Reports concerning extensions or publishers will be handled under the applicable Terms of Use, the Publisher Agreement, and other applicable Eclipse Foundation policies. Such reports may result in investigation, requests for additional information, limitation of distribution, suspension, removal, account action, or other appropriate measures.
Nothing in this Security Policy obligates the Eclipse Foundation to disclose investigative steps, internal deliberations, or the outcome of any abuse or moderation review, except as otherwise required by applicable law or policy.
7. Publisher and extension-related obligations
Publishers remain solely responsible for their extensions, listing information, and related content. Without limitation of the applicable agreements, publishers are required to ensure that their offerings do not contain malware or other malicious code, that listing information is not misleading and is substantially accurate and complete, and that any data collection is fully and accurately disclosed as required by the applicable agreements and law.
The Eclipse Foundation reserves the rights available to it under the Terms of Use, the Publisher Agreement, and applicable law with respect to hosted content, including the right to refuse, limit, suspend, or remove offerings or publisher access where appropriate.
8. Privacy and personal data
Do not include personal data, confidential information, credentials, secrets, or production data unless such information is reasonably necessary to understand and investigate the reported issue. This restriction does not apply to personal information that you voluntarily provide about yourself for the purpose of receiving credit for the report or participating in the researcher recognition program.
Where personal information is provided in connection with a report, it will be handled in accordance with the Eclipse Foundation Privacy Policy. Privacy-related inquiries may be directed to privacy@eclipse.org.
9. Non-security matters
Non-security matters should not be reported under this Security Policy. General bugs, feature requests, extension support requests, publisher onboarding questions, and similar matters should be directed to the ordinary Open VSX project or service support channels.