The Eclipse Foundation announced the Open VSX Security Researcher Recognition Program, a new initiative designed to strengthen the security of the Open VSX Registry by encouraging responsible vulnerability disclosure and recognising contributions from the global security research community.
The Open VSX Registry is open, vendor-neutral extension registry for tools built on the VS Code extension API. Governed transparently under the Eclipse Foundation, it provides developers, publishers, and platform builders with a trusted open alternative to proprietary extension marketplaces.
“Open VSX is critical infrastructure for modern developer platforms, making it an increasingly attractive target for bad actors and reinforcing the need for proactive risk mitigation. As adoption accelerates and the threat landscape becomes more sophisticated, responsible security research is essential. This program creates a clear path for researchers to collaborate with us and be recognised for protecting the ecosystem,” said Mike Milinkovich, Executive Director of the Eclipse Foundation.
As extension registries play an increasingly central role in modern software development, they have also become part of the active threat landscape of the software supply chain. Attackers have demonstrated the ability to exploit extension ecosystems to distribute malicious code, compromise development environments, and access sensitive data.
The new security program establishes an ethical pathway for reporting security vulnerabilities affecting Open VSX, while formally acknowledging individuals and organisations who help improve the security, integrity, and trust of the ecosystem. It provides a range of proactive security measures to address these risks, including pre-publication verification, detection of malicious patterns, and infrastructure enhancements to improve resilience and trust.
The announcement follows the significant momentum and continued growth of the Open VSX Registry, which recently surpassed 300 million monthly downloads and has become critical infrastructure for AI-native IDEs, cloud development environments, and VS Code-compatible platforms used by millions of developers worldwide.
