Security: Disclosure Policy

This policy explains how Firezone handles the disclosure of security vulnerabilities and security incidents, and what researchers and customers can expect from us.

To report a vulnerability, see reporting a vulnerability. Resolved issues are published as security advisories.

Vulnerability disclosure

Firezone practices coordinated disclosure. When we receive a report, we work privately with the reporter to validate and fix the issue before details are made public.

We triage and prioritize reported vulnerabilities based on their impact, and address higher-impact issues first. Once a fix is available for supported versions, we publish a security advisory.

Beyond responding to reports, we work to find and fix vulnerabilities proactively: production systems are continuously monitored and scanned, we run static analysis and dependency scanning in our development pipeline, and an independent third party performs penetration testing at least annually.

Scope

In scope:

  • The Firezone Client and Gateway applications.
  • Firezone-operated infrastructure, including relays, the admin portal, and the production systems that serve them.

Out of scope:

  • Social engineering or phishing of Firezone employees, customers, or vendors.
  • Physical attacks against Firezone offices, staff, or infrastructure.
  • Denial-of-service (DoS/DDoS) or resource-exhaustion attacks.
  • Reports produced solely by automated scanners without a demonstrated, exploitable impact.
  • Third-party services and dependencies not operated by Firezone.

Releases and supported components

How we deliver a security fix depends on the component, because Firezone ships its components in two different ways:

  • The Client and Gateway applications are distributed as semantically versioned releases that you install and run. We deliver security patches for these as new releases — see supported versions for which versions receive patches, and keep your deployments up to date to stay protected.
  • The relays and the admin portal are operated by Firezone as part of our managed service. They are not versioned for separate distribution: we fix vulnerabilities in them by deploying to our managed infrastructure, so no upgrade action is required from you.

We publish a security advisory for fixed vulnerabilities across all components. Each advisory describes the affected component and how the fix is delivered.

Incident disclosure

A security incident is an adverse event that threatens the confidentiality, integrity, or availability of the Firezone service or the data it contains. Production systems are monitored 24/7, and when an incident is identified we immediately initiate our incident response process: we triage and validate the event, assemble a response team, then contain, eradicate, and recover from the incident before conducting a postmortem.

If we have reason to believe an incident affects your organization, we notify impacted customers by Slack or email within 72 hours, unless legal obligations require otherwise.

Our incident notifications aim to include:

  • A description of the incident and its impact on the service.
  • The data, systems, or customers known or believed to be affected.
  • The steps we've taken and are taking in response, including the date and time of relevant activity.
  • Recommended actions for affected customers, and how to reach support.

As an investigation progresses, we provide updates through the same channels. Once the incident is resolved, we hold a postmortem to determine root cause and identify improvements, and we retain incident documentation to support any subsequent forensic or legal review.

Need help? See all support options.

Found a problem with this page? Open an issue
Last updated: June 22, 2026