Security Policy
We dogfood Firmis on itself. Every commit is scanned. Self-scan results are reviewed with every release. If we find it, we fix it before it ships.
Supported versions
Section titled “Supported versions”| Version | Supported |
|---|---|
| 1.3.x | Yes |
| 1.2.x | Yes |
| < 1.2 | No |
Reporting a vulnerability
Section titled “Reporting a vulnerability”Email: security@firmislabs.com
Please include:
- Description of the vulnerability
- Steps to reproduce
- Impact assessment
- Affected version(s)
We aim to acknowledge reports within 48 hours and provide a fix within 7 days for critical issues.
Security practices
Section titled “Security practices”- All 209 detection rules are open-source YAML — auditable by anyone
- Firmis runs entirely offline by default — no network access required
- No telemetry collected by default — nothing leaves your machine unless you opt in
- Dependencies are regularly audited with
npm audit - We dogfood Firmis on itself — self-scan results are reviewed with each release
- Read-only scanning — Firmis never modifies any file it scans
What to do next
Section titled “What to do next”- Security Model → — what Firmis detects, what it doesn’t, and why
- Privacy → — full data collection policy