Is IronFox open source, has it been independently audited, and what is its update policy for timely security patches?

1. Open-source status: public repos and license signals

IronFox’s code is publicly hosted: the project has an official GitLab repository and mirrors on GitHub and Codeberg, and APK/source bundles are archived on sites such as the Internet Archive and third‑party download pages that reference a license ^{[1] [2] [3] [4] [5]}. That footprint—active repositories and mirrored source—meets common expectations for an open‑source project in practice; a download page explicitly states the source repo and mentions GNU AGPLv3 for the APK distribution ^{[4] [5]}. The presence of build instructions and CI references in the repositories further supports that the project is intended to be reproducible from source ^[2].

2. Independent audits: no proof in the available reporting

Search results and the project pages provided show no independent security audit report, penetration test write‑up, or a named third‑party auditor for IronFox in the available materials. The corpus includes general vendor pages about open‑source auditing services (FossID, Snyk, FOSSA) but those are generic service descriptions and not audits of IronFox itself ^{[8] [9] [10] [11]}. Therefore, available sources do not mention any independent security audit or publicly posted audit report for IronFox ^{[8] [11]}.

3. Update cadence and security‑patch policy: not documented in sources

The materials include release pages (GitLab/GitHub mirrors and a community “midnight” fork with release notes) showing active development and occasional updates (e.g., forks tracking Firefox versions), but they do not document a formal security‑patch policy, SLAs, or a public timeline for patching known CVEs ^{[12] [13] [6]}. For example, a community “IronFoxMidnight” release page lists feature and version bumps tied to Firefox updates, but this is a forked build channel rather than a formal security policy statement from the main project ^[13]. Available sources do not mention a dedicated, published policy promising X‑day response times for security fixes.

4. Practical signals about security responsiveness

There are indirect signals you can infer: IronFox is a Firefox‑based fork (a Mull browser lineage) and some community forks explicitly update underlying Gecko/Firefox versions in release notes, which suggests maintainers follow upstream Firefox security releases to some degree ^{[2] [7] [13]}. However, following upstream releases is not the same as a documented, measurable security patch commitment. The presence of nightly or alternate package IDs to allow parallel installs in a fork (not necessarily the official project) suggests maintainers attempt rapid iteration, but available sources do not quantify patch speed ^[13].

5. Competing viewpoints and limits of the record

Security‑conscious users and reviewers (e.g., privacy reviewers) describe IronFox as a privacy‑hardened Firefox variant but also note the project’s “minimal” web presence and that it’s a relatively new continuation of Mull, implying a smaller team and lighter public footprint compared with large vendors ^[7]. Advocates could point to open repositories and reproducible builds as strong transparency signals ^{[2] [3]}; skeptics will reasonably demand independent audits and a published patch policy before trusting the browser for threat‑sensitive contexts—available sources do not supply either ^{[8] [11] [7]}.

6. What to look for next (actionable checks)

If you need a higher assurance level, request or look for (a) a posted third‑party security audit or SCA/SBOM from the project or a named auditor, (b) an explicit security/bug disclosure and patching policy in the main repo or website, and (c) evidence of timely merges of upstream Firefox security fixes (diffs/commit timestamps). None of these items are present in the sources provided here, so they should be the next verification steps if the project’s security posture matters to you ^{[6] [2] [4]}.

Limitations: all factual assertions above are constrained to the search results and sources you supplied; available sources do not mention an independent audit report or a formal, published security‑patch SLA for IronFox ^{[8] [11] [12]}.