Security Policy
We dogfood Firmis on itself. Every commit is scanned. Self-scan results are reviewed with every release. If we find it, we fix it before it ships.
Supported versions
Section titled “Supported versions”| Version | Supported |
|---|---|
| 2.1.x | Yes |
| 2.0.x | Yes |
| 1.7.x | Yes |
| < 1.7 | No |
Reporting a vulnerability
Section titled “Reporting a vulnerability”Email: security@firmislabs.com
Please include:
- Description of the vulnerability
- Steps to reproduce
- Impact assessment
- Affected version(s)
We aim to acknowledge reports within 48 hours and provide a fix within 7 days for critical issues.
Security practices
Section titled “Security practices”- All 324 detection rules are open-source YAML - auditable by anyone
- Firmis runs entirely offline by default - no network access required
- No telemetry collected by default - nothing leaves your machine unless you opt in
- Dependencies are regularly audited with
npm audit - We dogfood Firmis on itself - self-scan results are reviewed with each release
- Read-only scanning - Firmis never modifies any file it scans
What to do next
Section titled “What to do next”- Security Model → - what Firmis detects, what it doesn’t, and why
- Privacy → - full data collection policy