As VSCode+ primarily provides configurations, extensions recommendations, and documentation, security concerns are relatively limited. However, we take security seriously.
| Repository Type | Supported |
|---|---|
| Latest configurations | ✅ |
| Documentation | ✅ |
| Archived repositories | ❌ |
If you discover a security vulnerability within any VSCode+ repository, please report it responsibly:
- Security issues in recommended extensions (we'll update recommendations)
- Malicious code in configuration files
- Vulnerabilities in dev container configurations
- Scripts that could execute harmful commands
- Documentation that could lead to security issues
Please DO NOT open a public issue for security vulnerabilities.
Instead:
- Email: Send details to adrian.the.hactus@gmail.com
- Subject: Start with "SECURITY:" followed by a brief description
- Include:
- Description of the vulnerability
- Steps to reproduce
- Potential impact
- Suggested fix (if you have one)
- Your contact information
- Acknowledgment: Within 48 hours
- Assessment: Within 5 business days
- Updates: Regular communication on status
- Resolution: Fix or mitigation as quickly as possible
- Credit: Public acknowledgment (if desired) after the fix
When using VSCode+ configurations:
- ✅ Review extensions before installing
- ✅ Check extension publisher and ratings
- ✅ Keep extensions updated
- ✅ Remove unused extensions
- ❌ Don't install from unknown sources
- ✅ Review settings before applying
- ✅ Understand what each setting does
- ✅ Test in a safe environment first
- ✅ Keep backups of your settings
- ❌ Don't blindly copy-paste configurations
- ✅ Review Dockerfile and devcontainer.json
- ✅ Use official base images when possible
- ✅ Keep containers updated
- ✅ Limit container permissions
- ❌ Don't run containers with unnecessary privileges
- ✅ Review scripts before executing
- ✅ Understand what commands will run
- ✅ Run with appropriate permissions
- ✅ Use version control
- ❌ Don't run scripts from untrusted sources
We strive to:
- Recommend extensions from verified publishers
- Keep documentation updated with latest security practices
- Monitor for security issues in recommended tools
- Update configurations when security issues are discovered
- Provide clear warnings for potentially risky configurations
- Security issues will be disclosed after a fix is available
- We'll credit researchers who report issues (with permission)
- Critical vulnerabilities will be announced across all channels
- We'll maintain a security advisory for significant issues
If you have suggestions for improving this policy, please open an issue or contact the maintainers.
Last Updated: October 23, 2025