Our Security Approach

• Defguard’s software architecture and component communication were designed with the highest security in mind. Our Control Plane (controlling other components and user/network data) can be deployed in the Intranet segment, not accessible from the Internet ever!
• We have only two public components available from the Internet - when properly deployed and secured, they guarantee your network's safety!
  • Proxy is stateless and has no user/network data and no connection to any other components — the control plane connects to proxy (not the other way around), just collecting the data securely
  • Gateway only exposes the WireGuard port — meaning in order to breach it, the Kernel would need to be vulnerable

We build with an "on-premise first" mindset and architecture so you can control everything! Compare this to:

• Hardware solutions (Cisco, Palo Alto, Fortigate, etc.)
  • All-in-one/inline solutions (firewall, router, and VPN on one device) are a legacy approach. Being internet-facing entry points and at the same time exposing services (like SSL VPN portals) broadens the attack surface.
  • Actually, the most CVEs currently discovered are based on SSL VPN services for this type of device; breaching those services exposes your whole network!
• Cloud solutions (Tailscale, Netbird, Firezone, Netmaker)
  • Despite their claims, they do not actually support 2FA/MFA during connection — only to configure the app or access the control plane
  • You always are responsible — why not go a step further!
  • Cloud service providers operate in a shared responsibility model…
  • All their services are publicly exposed on the Internet vs Defguard can be secured in the Intranet
  • If you value privacy — they store all your connection metadata
  • Don’t rely on a 3rd party to be a Single Point of Failure for your whole company!

• As far as we know, we are the only VPN solution that publishes detailed penetration testing reports from periodic security audits conducted by ISEC on all Defguard components.
• We publish Software Bill of Materials (SBOM) for all our components, providing detailed information about the ingridients of the software we ship. Every day we use the SBOMs to scan for vulnerabilities in our dependencies and publish the results. Reacting to new vulnerabilities is a high priority for us.
• Most of our code is open source, and the enterprise part is open code — enabling you to freely test and verify.
• Our whole process: Release cycle, Roadmap and Architecture Decision Records are openly managed and shared.
• No vendor lock-in — install on whatever hardware and operating system you like. This gives you huge advantage not only for ease of deployment and maintanance - but gives you full inspectability of the whole stack!

• Memory safety first! Rust prevents bugs like null pointer dereferencing, buffer overflows, and use-after-free through its ownership system, without needing a garbage collector.
• Rust enforces strict compile-time checks on lifetimes, mutability, and borrowing, catching many bugs before the code runs.
• Rust's type system prevents data races at compile time, ensuring safer concurrent programming.
• Secure dependency ecosystem: Cargo and crates.io encourage reproducible builds, cryptographic signing, and dependency auditing.

Rust vs..

• Rust vs C/C++: Code written in Rust's safe subset is guaranteed not to invoke undefined behavior.
• Rust vs Go: Rust offers stronger memory and thread safety guarantees than Go without a garbage collector.

• We communicate internally and with our customers on secure on-premise Matrix (matrix.org) channels.
• We use only self-hosted runners on GitHub to build our releases.
• Our software stack:
  • Debian (debian.org)
  • Kubernetes with Rancher (Rancher)
  • Knowledge management: Outline (Outline)
  • Password storage: VaultVarden (Vaultwarden)
  • Firewall: OPNSense (opnsense.org)
  • Monitoring: Kuma (Uptime Kuma)
  • Backups: Restic (Restic)
  • IdM/SSO: Defguard

• Defguard's code and architecture is in constant review by Polish cybersecurity experts: ISEC.
• ISEC became an investor, and we have an ongoing relationship for pentests, architecture supervision, and 0days and CVE insights of the security solutions landscape.
• We are currently in the middle of ISO27001 certification.

• Our services are hosted in an ISO27001-certified data center we helped design (Technopark Pomerania).
• Our network uses enterprise WiFi (via Defguard RADIUS & OpenLDAP) and VLAN segmentation with OPNSense + Defguard.
• We use Yubico YubiKeys for 2FA/MFA for everything, provisioned via Defguard.
• Our office uses access cards for physical security control.

• Authenticity and integrity of all release assets can be verified.
• All official Docker images are signed using Cosign and automatically scanned for known vulnerabilities with Trivy.
• All release assets (binaries, packages, etc.) include SHA256 checksums that are automatically generated and published with each GitHub release.

We welcome responsible disclosure from the security community. If you've discovered a potential vulnerability in Defguard, please contact our security team at security@defguard.net using encrypted communication.

Please note that we do not offer a bug bounty program, as Defguard is open-source software. However, reporting and testing vulnerabilities in Defguard helps strengthen the security of the entire ecosystem, protecting all users and organizations that rely on it. By contributing to our open-source security, you directly support transparency, trust, and continuous improvement for a project used by the wider community.

To ensure your report is handled securely and confidentially, please follow these guidelines:

• Report the vulnerability to us as early as possible, with as much detail as you can provide.
• Encrypt your message using our PGP public key, available at https://defguard.net/pgp-key.txt (fingerprint: 3CC9 D7FD A5F5 DE35 52D8 806E FA1F 797D FA71 B44A).
• Allow us a reasonable amount of time to investigate and address the issue before any public disclosure, and coordinate with our security team on the disclosure timeline.