IPFire is a small project and probably not getting much (if any) attention from ethical hackers. I'd like to suggest that you consider a wishlist item to raise funds for a round of crowd-sourced security testing.
IPFire uses a lot of Open Source software, some of which may have been tested but this doesn't mean that the particular way packages are is compiled, configured and bundled is secure in IPFire (despite the best-effort of our selfless developers).
- Having a security test done (and vulnerabilities fixed) will raise the profile of IPFire. Aside from OwnCloud for example (a project which seems very well funded) I'm not aware of an independent open-source project that has a bug bounty program.
- If testing does uncover an upstream bug, then getting that fixed will benefit IPFire and the wider open-source community - a win-win situation.
My unresearched guess US$100 for a major exploit would be generous for software like this which will be relatively easy to test. A medium could be $50 and $25 for a low. We need only to raise enough for one round of testing, say US$1250? The round can last as long as there's money left to be paid out.
I'd suggest the bounty would only be against IPFire itself and a small set of frequently-used add-ons. (There are a few stale add-ons offered by Pakfire, which shouldn't be tested before they are updated the latest version "upstream".)
Crowd-sourced security testing providers
I've heard good things about BugCrowd, but their competitor Hacker1 should also be investigated.