Initiative supports responsible disclosure by the global security research community to protect critical open source developer infrastructure
BRUSSELS – 14 April 2026 – The Eclipse Foundation today announced the Open VSX Security Researcher Recognition Program, a new initiative designed to strengthen the security of the Open VSX Registry by encouraging responsible vulnerability disclosure and recognising contributions from the global security research community.
The program establishes a clear, ethical pathway for reporting security vulnerabilities affecting Open VSX, while formally acknowledging individuals and organisations who help improve the security, integrity, and trust of the ecosystem.
The announcement follows the significant momentum and continued growth of the Open VSX Registry, which recently surpassed 300 million monthly downloads and has become critical infrastructure for AI-native IDEs, cloud development environments, and VS Code-compatible platforms used by millions of developers worldwide.
“Open VSX is critical infrastructure for modern developer platforms, making it an increasingly attractive target for bad actors and reinforcing the need for proactive risk mitigation,” said Mike Milinkovich, Executive Director of the Eclipse Foundation. “As adoption accelerates and the threat landscape becomes more sophisticated, responsible security research is essential. This program creates a clear path for researchers to collaborate with us and be recognised for protecting the ecosystem.”
Strengthening supply chain security through responsible disclosure
As extension registries play an increasingly central role in modern software development, they have also become part of the active threat landscape of the software supply chain. Attackers have demonstrated the ability to exploit extension ecosystems to distribute malicious code, compromise development environments, and access sensitive data.
The Open VSX Registry has introduced a range of proactive security measures to address these risks, including pre-publication verification, detection of malicious patterns, and infrastructure enhancements to improve resilience and trust.
The Security Researcher Recognition Program builds on these efforts by:
- Encouraging early, responsible disclosure of vulnerabilities
- Providing a direct and transparent reporting process
- Supporting coordinated remediation with maintainers and stakeholders
- Strengthening collaboration with the global security research community
- Publicly recognizing impactful contributions
Recognition-based model to support the security researcher community
The Open VSX Security Researcher Recognition Program is designed to complement existing security practices by focusing on recognition, transparency, and collaboration, rather than financial incentives.
Eligible contributors may receive:
- Public recognition in the Open VSX Security Hall of Fame
- Shareable digital badges and certificates of recognition
- Swag rewards based on impact and contribution level
Recognition is based on the impact of the finding, the quality of the report, and adherence to responsible disclosure practices.
The program is open to independent researchers, academic institutions, security consultancies, open source contributors, and developers who identify real-world risks in the Open VSX ecosystem.
Supporting trusted, open developer infrastructure
Open VSX is a vendor-neutral extension registry governed under the Eclipse Foundation, supporting a rapidly expanding ecosystem of developer tools and platforms. As reliance on extension ecosystems grows, maintaining trust requires both technical safeguards and active community participation.
The program reinforces the Eclipse Foundation’s broader commitment to advancing:
- Software supply chain security
- Transparent, vendor-neutral governance
- Long-term sustainability of open source infrastructure
How to participate
Security researchers, developers, and community members are invited to help strengthen the security and trust of the Open VSX ecosystem. The Open VSX Researcher Recognition Program provides a clear pathway for responsible vulnerability disclosure, along with opportunities to contribute more broadly to the project and community.
