I mean… this is a much more complicated question, even if you don’t necessarily realize it. Some layers:
-
Actual GL.iNet software - i.e., all of the stuff that GL.iNet has written themselves and the security defaults / bugs / what not thereof. None of this has been audited, as far as I’m aware, and there have been certain… issues… that might cause a reasonable person to question the general security defaults that are in place.
-
OS-level patches in stock firmware. Few if any GL.iNet devices are updated with the latest greatest OpenWrt under the hood - and most aren’t even up-to-date on the latest builds of packages within their own firmware group. On one hand this sounds bad, but in reality it’s kind of par for the course for a lot of router setups. Remember that in the enterprise space taking down a router is a really big deal - you don’t want to do it unless you really have to. One of my biggest criticisms of a distribution like OPNsense is that they actually issue updates too frequently. I don’t want to have to reboot my stuff every two weeks to apply updates, especially if I’ve done a decent job of securing the rest of the stack. If there’s something critical, sure… but…
-
Running stock OpenWrt. In some cases you can run stock OpenWrt on a GL.iNet router, and then you can just update to your hearts content. If you want to. But there are costs associated with that, and it doesn’t necessarily improve your security posture.
-
Do you actually have everything else locked down like you’re supposed to, which kind of doesn’t have anything to do with GL.iNet’s devices proper? Certainly running stock firmware is one of those things that opens up a lot of additional attack vectors.
If you’re really serious about security, an OpenWrt product is … maybe not what you ought to be looking at in general. If you are looking at an OpenWrt product and you’re really serious, I would recommend building your own firmware, from stock, and only including what you absolutely need, then making sure you’ve got a good environment set up to maintain all of that.
But honestly, I think that’s a bridge too far for most people. Make sensible security choices and do your best. Some choices are better than others, but in the consumer router space you’re probably not going to find somebody who is superior to everyone else (though you’ll find lots of choices who are inferior to the good players).