How frequently are security patches and upstream Firefox fixes applied in IronFox versus Hardened Firefox?

1. What IronFox says it does: an active patch workflow, not a calendar

IronFox describes a structured process: scripts that download the Firefox source, apply a curated set of privacy/security patches, and build the resulting binary for release, and its documentation explicitly points to a “Patch Management System” controlling those changes ^[1]. The project’s repositories are mirrored across GitLab, Codeberg and GitHub and include named patches (for example, glean-noop.patch and gecko-disable-network-id.patch) adapted from other privacy projects like Tor, which indicates a deliberate engineering pipeline rather than ad-hoc edits ^[2]. Those facts establish the mechanism by which upstream fixes could be integrated, but they do not state a fixed schedule for pulling in each Mozilla security update ^{[2] [1]}.

2. Evidence on frequency: public activity signals but no explicit cadence

Public coverage and project pages show a minimal web presence and repo mirrors, and reviewers note IronFox is a continuation of the Mull Browser lineage — all of which implies active maintenance but not a published patch frequency ^{[3] [2]}. The DeepWiki summary confirms IronFox “applies privacy and security patches to the Firefox source code” and documents the patching/build steps, which supports the claim that security patches are applied as part of the build process rather than being ignored ^[1]. However, none of the provided sources list a timeline (e.g., within days of Mozilla advisories or monthly) or commit-level comparisons showing lag time between Mozilla fixes and IronFox merges ^{[3] [2] [1]}.

3. How Hardened Firefox variants compare — the evidence gap

The question asks for a comparison to “Hardened Firefox,” but the shared reporting contains no authoritative description, repository, or patch cadence for a project by that exact name; sources compare IronFox to other hardened forks conceptually but do not document their update frequencies ^{[3] [4] [5]}. Reviews that position IronFox alongside projects like LibreWolf or Iceraven speak to differing philosophies—IronFox favoring aggressive telemetry removal and feature lockdowns—yet those comparisons focus on features and UX, not on empirical patch timelines ^{[3] [5]}. Therefore any definitive claim about whether Hardened Firefox integrates upstream security fixes faster or slower than IronFox cannot be supported from these sources.

4. Practical indicators readers should check to judge real-world frequency

Because the supplied material documents IronFox’s patch-management architecture but not numerical lag times, the most reliable way to measure comparative frequency is to inspect live repositories and commit histories—track the date a Mozilla security patch was published versus the date IronFox merged the corresponding gecko/geckoview change, using the GitLab/GitHub mirrors referenced by the project ^{[2] [1]}. Reviews and project pages also note feature tradeoffs (e.g., WebGL disabled by default) that can influence how quickly a fork can accept upstream changes without reworking its hardening patches, a meaningful hidden cost when measuring cadence ^{[3] [5]}.

5. Balanced conclusion and what the reporting allows one to conclude

The documentation and reviews prove IronFox operates a formal patch-and-build system that integrates privacy/security modifications into Firefox source trees ^[1] and that it actively curates patches and mirrors its code ^[2]. The reporting does not, however, provide numbers, timelines, or comparative commit analysis to say how frequently IronFox applies Mozilla’s security fixes in days or weeks, nor does it supply comparable metrics for any “Hardened Firefox” variant to support a direct, evidence-backed comparison ^{[3] [4] [5]}. Independent repository audit—checking commit timestamps on the IronFox mirrors against Mozilla security advisories—remains the only way, given the available reporting, to produce the precise frequency comparison requested.