If you believe you have found a security vulnerability affecting the deployment, configuration, infrastructure, integrations, or operation of the public Open VSX service at https://open-vsx.org, please report it through coordinated disclosure.
Do not report security vulnerabilities through public GitHub issues, discussions, pull requests, or other public channels.
For security issues related to this repository, report the issue by email to:
Reports concerning this repository are handled as security issues affecting the public Open VSX service, as described in section 4.2 of the Open VSX Security Policy.
Please include as much relevant information as reasonably possible, such as:
- A description of the issue;
- The affected service area, component, configuration, URL, or workflow;
- Steps to reproduce the issue, if applicable;
- The observed or potential impact;
- Relevant logs, screenshots, request/response details, or other supporting evidence;
- Any proof-of-concept material, only where necessary and safe to provide.
Please do not include credentials, secrets, personal data, confidential information, or production data unless it is strictly necessary to understand and investigate the issue.
For vulnerabilities in the Open VSX open source codebase, release artifacts, or project-maintained components outside this repository, follow the reporting instructions in the relevant Open VSX project security policy.
For suspected malicious extensions, publisher abuse, namespace abuse, misleading extension listings, or other extension-related security or policy concerns, follow the reporting instructions in the Open VSX Security Policy.
If you are unsure how to classify a report, report it privately rather than publicly.