How is VS Code Extension Security Handled?

Question

I've been using VS Code for a year or so now. I have no idea how VS Code Extension security is handled. I'm alarmed by things like this:

• Markdown Preview Enhanced (927K+ downloads)
• Markdown Preview Enhanced (fork that points to the original repo) (2k+ downloads)

Some questions I have are:

• What does Microsoft do to ensure Extensions we install are safe?
• Are they scanning the Extensions for known vulns?
• Is VS Code safe to use in an Enterprise Environment?
• How can I tell?
• Why are duplicate extension names allowed!
  • There are security and marketing implications by Microsoft allowing "package-squatting".

Does anyone have insights to share regarding VS Code Extension Security?

Answer 1

Hm. Unfortunately, the link to "extension marketplace terms" that @jonrsharpe provided does not include the word "extension". If you extrapolate VS Code Extensions to be covered by the Azure Marketplace terms (as alluded to in the text), then you get this little tidbit:

https://azure.microsoft.com/en-us/support/legal/marketplace-terms/

Publisher Privacy Policies. Publishers are responsible for providing privacy statements that describe their privacy practices with respect to Customer Data collected by their Offerings or any customer information that they receive from Microsoft. Unless indicated otherwise in connection with a Marketplace Offering published by Microsoft, Microsoft’s privacy, security, and data location and data retention policies will not apply to any Marketplace Offering or to Publishers’ use of any Customer Data or other customer information.

In short "...Microsoft's privacy, security...policies will not apply to any..." VS Code Extensions OR to "...Publishers' use of any Customer Data or other customer information."

Microsoft does NOT handle VS Code Extension Security.