Mozilla Launches Free Built‑in VPN for Firefox Users – Scope, Limitations, and TPRM Considerations
What Happened – Mozilla announced that the Firefox browser will include a free, built‑in VPN service starting 24 March 2026. The offering is initially limited to the United States, France, Germany, and the United Kingdom and is provided at no extra charge to all Firefox users.
Why It Matters for TPRM –
- A new data‑processing service is being added to a widely deployed SaaS product, expanding Mozilla’s surface‑area for third‑party risk.
- The free VPN may collect connection metadata (IP, timestamps, device identifiers) that could affect privacy‑by‑design assessments.
- Organizations that already contract with Mozilla for browser‑related services must evaluate whether the VPN aligns with existing security and compliance controls.
Who Is Affected – Technology / SaaS vendors, enterprises that standardize on Firefox, and any third‑party risk program that includes browser vendors as critical suppliers.
Recommended Actions –
- Review Mozilla’s VPN privacy policy and data‑handling agreements.
- Verify that the VPN’s encryption standards (e.g., TLS 1.3, AES‑256) meet your organization’s security baseline.
- Update vendor risk registers to reflect the added service and assess any contractual amendments needed.
Technical Notes – The VPN is delivered as a browser extension, leveraging Mozilla’s existing VPN infrastructure (≈500 servers in 30 + countries). No CVEs are disclosed; the service is free but limited to a subset of regions and devices (up to five per account). Data types potentially collected include IP addresses, connection timestamps, and device identifiers. Source: ZDNet Security