Protecting the X VSCode Extensions ecosystem

If you discover a security vulnerability in X VSCode Extensions (including Themes, Transparency tools, or APC-based injection styles), please report it responsibly via email to:

Email: x@xscriptor.com

Do not open public GitHub issues for security vulnerabilities. Private disclosure allows us to fix the issue before it can be exploited.

When reporting a security issue, please provide:

1. Description — A clear explanation of the vulnerability.
2. Type — The category of the issue (e.g., code injection, sensitive data exposure, etc.).
3. Steps to Reproduce — Detailed steps or a Proof of Concept (PoC) to trigger the vulnerability.
4. Impact — How severe is the issue? What could an attacker achieve?
5. Affected Extensions — Which specific extension or theme is affected?
6. Proposed Fix (optional) — Suggestions on how to patch the vulnerability.

• Confidentiality — Do not disclose the vulnerability publicly until a fix is released.
• Patience — Please give the maintainers reasonable time to address the issue before public disclosure.
• Response Time — We aim to acknowledge receipt within 7 days and provide a resolution for critical issues within 30 days.

While these extensions are designed to be safe, please keep these recommendations in mind:

1. Stay updated — Always use the latest version of the extensions available on the Marketplace or GitHub.
2. Verify Injection Sources — When using extensions that require script injection (like APC+), ensure you understand the changes being made to your VSCode core.
3. Configuration Privacy — Be cautious when sharing your settings.json if it contains sensitive file paths or tokens.
4. Third-Party Styles — Only apply CSS/JS injections from trusted sources within the Xscriptor repository.

Security patches will be prioritized and released as soon as a stable fix is verified. We appreciate your help in keeping the VSCode community safe.

Thank you for helping keep X VSCode extensions secure!