Bugs without bounty: Eclipse Foundation launches security program for Open VSX
Supply chain protection: Eclipse Foundation encourages developers to find vulnerabilities in Open VSX Registry – but no money is offered.
(Image: Olya Detry / Shutterstock.com)
The Eclipse Foundation has launched a new initiative to motivate developers to report vulnerabilities in the Open VSX Registry. This vendor-independent platform for VS Code extensions, with over 300 million monthly downloads, is often a target for supply chain attacks attempting to spread malware via such extensions.
The Open VSX Security Researcher Recognition Program is aimed at security researchers, security teams, or open-source developers. However, there are no financial rewards. Instead, Eclipse rewards finders with entries in a public Hall of Fame, digital badges, and vouchers – depending on the relevance of the reported vulnerability and the quality of the submission. In contrast, classic bug bounty programs pay participants, as OpenAI recently did: The company launched its bug bounty program in March and offers rewards from 250 to 5500 US dollars.
Other projects like Curl are also foregoing bounties because worthless AI bug reports have increased so much that maintainers can no longer keep up with reviewing them. Curl now only uses HackerOne for management.
Videos by heise
Wave of attacks on extension registries
Supply chain attacks on extension registries have intensified massively in recent months and became publicly known with the widespread GlassWorm attack at the end of last year. Extensions for IDEs and code editors run without a sandbox and have extensive permissions: they have access to the system, source code, and secrets. This makes them an attractive entry point for supply chain attacks.
In response, Open VSX has increased pre-release checks since early 2026. The packages go through several stages:
- Similarity checks compare names to detect typosquatting – for example, if someone tries to upload an extension named “esllint” instead of “eslint.”
- Malware scanners check for known malicious code patterns based on signatures.
- Secrets scanning looks for accidentally included tokens or access credentials like AWS keys.
Suspicious uploads are quarantined for manual review by administrators. As an open-source project, Open VSX can also be self-hosted, an aspect that is relevant for European companies in terms of digital sovereignty.
(who)
