Vulnerability Disclosure

This page explains how Firezone handles coordinated vulnerability disclosure and security incidents, how to report a vulnerability you've found, and which components and versions receive security fixes. Resolved issues are published as security advisories.

How we handle disclosure

Firezone practices coordinated disclosure. When we receive a report, we work privately with the reporter to validate and fix the issue before details are made public.

We triage and prioritize reported vulnerabilities based on their impact, and address higher-impact issues first. Once a fix is available for supported versions, we publish a security advisory.

Beyond responding to reports, we work to find and fix vulnerabilities proactively: production systems are continuously monitored and scanned, we run static analysis and dependency scanning in our development pipeline, and an independent third party performs penetration testing at least annually.

Scope

In scope:

  • The Firezone Client and Gateway applications.
  • Firezone-operated infrastructure, including relays, the admin portal, and the production systems that serve them.

Out of scope:

  • Social engineering or phishing of Firezone employees, customers, or vendors.
  • Physical attacks against Firezone offices, staff, or infrastructure.
  • Denial-of-service (DoS/DDoS) or resource-exhaustion attacks.
  • Reports produced solely by automated scanners without a demonstrated, exploitable impact.
  • Third-party services and dependencies not operated by Firezone.

Releases and supported components

How we deliver a security fix depends on the component, because Firezone ships its components in two different ways:

  • The Client and Gateway applications are distributed as semantically versioned releases that you install and run. We deliver security patches for these as new releases — see supported versions for which versions receive patches, and keep your deployments up to date to stay protected.
  • The relays and the admin portal are operated by Firezone as part of our managed service. They are not versioned for separate distribution: we fix vulnerabilities in them by deploying to our managed infrastructure, so no upgrade action is required from you.

We publish a security advisory for fixed vulnerabilities across all components. Each advisory describes the affected component and how the fix is delivered.

Incident disclosure

A security incident is an adverse event that threatens the confidentiality, integrity, or availability of the Firezone service or the data it contains. Production systems are monitored 24/7, and when an incident is identified we immediately initiate our incident response process: we triage and validate the event, assemble a response team, then contain, eradicate, and recover from the incident before conducting a postmortem.

If we have reason to believe an incident affects your organization, we notify impacted customers by Slack or email within 72 hours, unless legal obligations require otherwise.

Our incident notifications aim to include:

  • A description of the incident and its impact on the service.
  • The data, systems, or customers known or believed to be affected.
  • The steps we've taken and are taking in response, including the date and time of relevant activity.
  • Recommended actions for affected customers, and how to reach support.

As an investigation progresses, we provide updates through the same channels. Once the incident is resolved, we hold a postmortem to determine root cause and identify improvements, and we retain incident documentation to support any subsequent forensic or legal review.

Reporting a vulnerability

We take security issues very seriously and strive to fix all security issues as soon as they're reported.

Please do not open a public GitHub issue for security issues you encounter. Instead, use one of the following methods:

  • Report a vulnerability on GitHub. This will be visible to the Firezone security team but not the general public.
  • Send an email to security AT firezone.dev describing the issue and we'll respond as soon as possible. You can encrypt your email with our PGP key.

Once a reported issue is resolved and a fix is available, we publish the details as a security advisory.

Supported versions

We support the latest released version of each Firezone Client and Gateway. Security fixes are delivered in a new release — we do not backport patches to older versions — so we recommend running the latest version at all times.

The Relay and admin portal are operated by Firezone as part of the managed service and are patched centrally, so version support does not apply to them; self-hosting them is not supported. See releases and supported components above for details.

See upgrading for more on how to keep Firezone up to date.

PGP key

You may use the public key below to encrypt emails to security AT firezone.dev. You can also find this key at:

https://keys.openpgp.org/vks/v1/by-fingerprint/250F8B56804107042DFC6A7345113BA04AD83D8A

-----BEGIN PGP PUBLIC KEY BLOCK-----
Comment: 250F 8B56 8041 0704 2DFC  6A73 4511 3BA0 4AD8 3D8A
Comment: Firezone Security <security@firezone.dev>

xjMEYYwK5BYJKwYBBAHaRw8BAQdA4ooDpwDy3V0wHCftM/LHD5e713LSr0SQy49j
oUMgHoTNKUZpcmV6b25lIFNlY3VyaXR5IDxzZWN1cml0eUBmaXJlem9uZS5kZXY+
wpkEExYKAEECGwMFCwkIBwICIgIGFQoJCAsCBBYCAwECHgcCF4AWIQQlD4tWgEEH
BC38anNFETugStg9igUCZeCcnAUJCfgsNwAKCRBFETugStg9ikL1AQD/+saUW/kO
nKGEIRtUywFCTB2WYw8qMPuKeNs8Seg2OwEA5r4/dk1imdO0PEUFW+K8c5iI7erH
dgVdBasVaZstFgTCmQQTFgoAQQIbAwULCQgHAgIiAgYVCgkICwIEFgIDAQIeBwIX
gBYhBCUPi1aAQQcELfxqc0URO6BK2D2KBQJl3lQ0BQkIFLBQAAoJEEURO6BK2D2K
llgA/1RNbEtoTA+sd9l9YXLVu9nFgKUBbs9kZbjyWn3nZL0+AQDQ/j+RzxvSDYHw
u/ZGZukV99xywEeRugnQGJYaExZKC8KZBBMWCgBBAhsDBQsJCAcCAiICBhUKCQgL
AgQWAgMBAh4HAheAFiEEJQ+LVoBBBwQt/GpzRRE7oErYPYoFAmRrk3gFCQah75QA
CgkQRRE7oErYPYrr9AD/ecxrjiqXKiBSqvpjTQAS62C793OH5+BCD77HIJx53QMA
/04ToQzx3eAiD/xTc1sWixIq2ZYj+Xb+zLXlUx8AugEAzjgEYYwK5BIKKwYBBAGX
VQEFAQEHQPLzia/me7FOsFfAJKWm0X1qC5byv2GWn6LZPV013AdoAwEIB8J+BBgW
CgAmAhsMFiEEJQ+LVoBBBwQt/GpzRRE7oErYPYoFAmXgnM8FCQn4LGsACgkQRRE7
oErYPYrmagD8Drfj3tTJE1b7+kIjID0TMpTqB4/ghRHCxDs8t7uK/LAA/j1g/mbX
VpPejvDUfq4BBmKlqgQIoGsQuDt2TyYC8lQCwn4EGBYKACYCGwwWIQQlD4tWgEEH
BC38anNFETugStg9igUCZGuTYgUJBqHvfgAKCRBFETugStg9imPkAQCLuuSRgRul
WoYfGafZJeVv3s8hkvZH+EEhqOrUYtkm5QD9EXaELFVgOBmv0Ax4WUGfjnL6h4CP
IAuYUQ+MqN4MOQM=
=HwvF
-----END PGP PUBLIC KEY BLOCK-----

Need help? See all support options.

Found a problem with this page? Open an issue
Last updated: July 01, 2026