Report a vulnerability

How it works

The Open VSX Security Researcher Recognition program follows a simple and transparent process designed to support responsible disclosure and timely remediation.

1.

Report the issue

If you believe you’ve discovered a security vulnerability in the Open VSX ecosystem, report it to the Open VSX Security Team.

Report a vulnerability → 

2.

We review it

We review each report to validate the issue and assess its impact.

View full Open VSX Security Policy →

3.

We coordinate a fix

Once the issue is confirmed, we work with maintainers and stakeholders to resolve it through a coordinated process.

4.

We recognise your contribution

After the issue is resolved, eligible contributors may be recognised for helping improve the security and trust of the Open VSX Registry.

Explore recognition levels → 

What qualifies for recognition?

In scope

  • Vulnerabilities in the Open VSX Registry, APIs, or web services
  • Security issues in extensions distributed through the Open VSX Registry that demonstrate real, exploitable impact
  • Security improvements delivered through coordinated disclosure or patches

Out of scope

  • Vulnerabilities originating in unrelated or upstream projects
  • Duplicate or previously reported issues
  • Speculative or theoretical findings without demonstrable impact Reports disclosed publicly prior to coordinated disclosure
  • Reports disclosed publicly prior to coordinated disclosure
  • Automated or AI-generated submissions without human validation
  • Findings involving active exploitation or public dissemination prior to coordinated disclosure

Recognition levels

We recognize meaningful, responsibly disclosed contributions that help improve the security and trust of the Open VSX Registry. Recognition is based on impact, quality, and collaboration.

Validated Contributor

Criteria:
Submitted a verified and responsibly disclosed report.

Recognition
 Listing on Hall of Fame + digital badge

Trusted Researcher

Criteria:
Repeated or high-impact finding validated by the team.

Recognition
 Listing on Hall of Fame + certificate of recognition + digital badge + $50 swag voucher

Security Guardian

Criteria:
Exceptional collaboration or multi-issue discovery.

Recognition
 Listing on Hall of Fame + featured profile + certificate of recognition + digital badge + $100 swag voucher

Badges may be shared on LinkedIn, GitHub, personal websites, and professional portfolios.

View the Security Hall of Fame → 

Ready to contribute?

Help strengthen the Open VSX Registry through responsible security research.
Report a vulnerability