Security Approach

Building a secure software is a mindset. Features, great UI, and easy deployment are often things that draw users to the software, but when building software in the cybersecurity space, the approach to security should be what tips the scales of choice. Here is ours.

Secure by design - software architecture matters

Defguard's software architecture and component communication were designed with the highest security in mind. Our Control Plane (controlling other components and user/network data) can be deployed in the Intranet segment, not accessible from the Internet ever!

Architecture image one

We have only two public components available from the Internet - when properly deployed and secured, they guarantee your network's safety!

  • Proxy is stateless and has no user/network data and no connection to any other components — the control plane connects to proxy (not the other way around), just collecting the data securely
  • Gateway only exposes the WireGuard port — meaning in order to breach it, the Kernel would need to be vulnerable
Architecture image two

On-premise / self-hosted first!

We build with an "on-premise first" mindset and architecture so you can control everything! Compare this to:

Hardware solutions

Cisco, Palo Alto, Fortigate, etc.

  • All-in-one/inline solutions (firewall, router, and VPN on one device) are a legacy approach. Being internet-facing entry points and at the same time exposing services (like SSL VPN portals) broadens the attack surface.
  • Actually, the most CVEs currently discovered are based on SSL VPN services for this type of device; breaching those services exposes your whole network!
Architecture image two

Cloud solutions

Tailscale, Netbird, Firezone, Netmaker

  • Despite their claims, they do not actually support 2FA/MFA during connection — only to configure the app or access the control plane
  • You always are responsible — why not go a step further!
  • Cloud service providers operate in a shared responsibility model…
  • All their services are publicly exposed on the Internet vs Defguard can be secured in the Intranet
  • If you value privacy — they store all your connection metadata
  • Don't rely on a 3rd party to be a Single Point of Failure for your whole company!
Could solutions image

We are open!

  • As far as we know, we are the only VPN solution that publishes detailed penetration testing reports from periodic security audits conducted by ISEC on all Defguard components.
  • We publish Software Bill of Materials (SBOM) for all our components, providing detailed information about the ingredients of the software we ship. Every day we use the SBOMs to scan for vulnerabilities in our dependencies and publish the results. Reacting to new vulnerabilities is a high priority for us.

Most of our code is open source, and the enterprise part is open code — enabling you to freely test and verify.

  • Our whole process: Release cycle, Roadmap and Architecture Decision Records are openly managed and shared.
  • No vendor lock-in — install on whatever hardware and operating system you like. This gives you huge advantage not only for ease of deployment and maintenance - but gives you full inspectability of the whole stack!

We chose Rust

  • Memory safety first! Rust prevents bugs like null pointer dereferencing, buffer overflows, and use-after-free through its ownership system, without needing a garbage collector.
  • Rust enforces strict compile-time checks on lifetimes, mutability, and borrowing, catching many bugs before the code runs.
  • Rust's type system prevents data races at compile time, ensuring safer concurrent programming.
  • Secure dependency ecosystem: Cargo and crates.io encourage reproducible builds, cryptographic signing, and dependency auditing.

Rust vs..

  • Rust vs C/C++: Code written in Rust's safe subset is guaranteed not to invoke undefined behavior.
  • Rust vs Go: Rust offers stronger memory and thread safety guarantees than Go without a garbage collector.

We also self host everything

We communicate internally on secure on-premise Matrix (matrix.org) channels. We use only self-hosted runners on GitHub to build our releases.

Our software stack:

Debian

Debian

debian.org
Rancher

Kubernetes with Rancher

Rancher
Outline

Knowledge management

Outline
Vaultwarden

Password storage

Vaultwarden
OPNsense

Firewall

OPNsense
Uptime Kuma

Monitoring

Uptime Kuma
Restic

Backups

Restic
Defguard

IdM/SSO

Defguard

Outside supervision

  • Defguard's code and architecture is in constant review by Polish cybersecurity experts: ISEC.
  • ISEC became an investor, and we have an ongoing relationship for pentests, architecture supervision, and 0days and CVE insights of the security solutions landscape.
  • We are ISO-27001:2023 certified.
Iso preview image

Physical security of our organization

  • Our services are hosted in an ISO27001-certified data center we helped design (Technopark Pomerania).
  • We use Yubico YubiKeys for 2FA/MFA for everything, provisioned via Defguard.
  • Our network uses enterprise WiFi (via Defguard RADIUS & OpenLDAP) and VLAN segmentation with OPNSense + Defguard.
  • Our office uses access cards for physical security control.

Verifiability of releases

  • Authenticity and integrity of all release assets can be verified.
  • All official Docker images are signed using Cosign and automatically scanned for known vulnerabilities with Trivy.
  • All release assets (binaries, packages, etc.) include SHA256 checksums that are automatically generated and published with each GitHub release.
Releases image

Found a security vulnerability in Defguard?

We welcome responsible disclosure from the security community. If you've discovered a potential vulnerability in Defguard, please contact our security team at security@defguard.net using encrypted communication.

To ensure your report is handled securely and confidentially, please follow these guidelines:

  • Report the vulnerability to us as early as possible, with as much detail as you can provide.
  • Encrypt your message using our PGP public key, available at https://defguard.net/pgp-key.txt (fingerprint: 3CC9 D7FD A5F5 DE35 52D8 806E FA1F 797D FA71 B44A).
  • Allow us a reasonable amount of time to investigate and address the issue before any public disclosure, and coordinate with our security team on the disclosure timeline.

Please note that we do not offer a bug bounty program, as Defguard is open-source software. However, reporting and testing vulnerabilities in Defguard helps strengthen the security of the entire ecosystem, protecting all users and organizations that rely on it. By contributing to our open-source security, you directly support transparency, trust, and continuous improvement for a project used by the wider community.