Tumbleweed Unveils Secure Guardian 5.5

Enhancements Offer Global 2000 Enterprises the Broadest Set of Secure Messaging Options Available For Safe Internet Communications with Customers, Partners and Suppliers

REDWOOD CITY, CA - October 14, 2002 - Tumbleweed® Communications Corp.(Nasdaq:TMWD - News), a leading provider of secure messaging applications for businesses and government agencies using the Internet, today announced fourth quarter availability of the Tumbleweed Secure Guardian 5.5 family of products. Building on the industry's widest selection of secure delivery options and leading content scanning capabilities, Secure Guardian 5.5 incorporates extensive feedback from Tumbleweed's blue-chip customer base and boasts the introduction of the Tumbleweed Secure EnvelopeT delivery method, enhanced S/MIME capabilities and deeper content scanning functionality. The new features will help enterprises increase secure messaging adoption among customers and partners, more easily enforce security in partner communications, reduce the waste of resources related to spam, and lower the total cost of ownership through the automation and simplification of day-to-day maintenance tasks.

The Tumbleweed Secure Guardian 5.5 family of products is designed to satisfy the complex secure messaging needs of Global 2000 organizations and large government agencies. The products reside between a company's email servers and corporate firewall, and possess the ability to securely deliver an email message via several online ("pull") or offline ("push") methods. The offline methods include server-to-server or server-to-client S/MIME, and now the Secure EnvelopeT, which delivers the encrypted message directly to a recipients email inbox without requiring the installation of any special client-side software to decrypt. The online methods are based on Tumbleweed's patented Private URL (PURL), which notifies a recipient of a message awaiting retrieval via an authenticated, encrypted web link to a secured server. Authentication to the message is achieved via password, digital certificate, secure token or through any existing single-sign-on engine.

Tumbleweed's solutions also leverage industry-leading email content scanning technology to ensure the enforcement of company-developed secure communications policies based on content, recipient profile, and business process. The policy gateway component of the Secure Guardian product family ensures that messages approved to leave the organization and containing sensitive information are delivered securely, and that threatening or inappropriate emails do not enter or leave the network.

Introduction of Tumbleweed Secure Envelope™
Solutions based on the Secure Guardian 5.5 family of products can now deliver a secure message using the Secure Envelope™ method. The Secure Envelope is an SMTP message with an HTML attachment that contains the encrypted message contents. The recipient opens the HTML attachment from within their normal email client, is asked to present a password, and is then presented with the decrypted message contents. The Secure Envelope enables the recipient to view the contents of the message offline and also allows them to manage the message contents locally from within their email client.

Dynamic recipient certificate lookup
For organizations that wish to leverage their investment in existing PKI solutions, Secure Guardian 5.5 solutions can also now perform real-time recipient certificate lookup from enterprise directories in addition to using domain certificates to encrypt for the recipient's email gateway. This functionality removes the need for enterprise end-users to understand how to use and manage recipient certificates as well as enforces the encryption of messages using industry-standard S/MIME when these certificates are available to the server.

The decision as to when to use Secure Guardian's flexible delivery options (Secure Envelope™), the various methods based on the PURL, dynamic recipient or domain certificate lookup) is based on recipient profile information stored on the server or in external enterprise directories.

Enhanced content scanning
For the company's latest product release, Tumbleweed has enhanced its industry-leading content scanning engine for better spam prevention and intellectual property protection. Policies can now be enabled to scan the content inside HTML tags as well as inside binary content that may contain text elements (also known as physical scanning). The HTML tag-scanning feature is useful to protect against spammers that embed hidden links to spam websites inside SMTP email. The physical scanning feature provides additional assurance that inappropriate text-based content is not being sent in binary file attachments (such as PDF content or hidden text in MS Word files). "We've seen a remarkable surge in concern over spam as a productivity drain from our large enterprise clients in the last 6 months" said Matt Cain, Vice President of the META Group. "Also, certain organizations within the Federal Government view controlling the content of outbound emails as a matter of national security. Proper email hygiene requires an email policy gateway with very granular access to the information being transmitted." In closing, Jeff Smith, Co-Founder, Chairman and Chief Executive Officer of Tumbleweed Communications, commented, "We're excited about offering extended capabilities for secure messaging to our large and growing customer base. The Secure EnvelopeT and dynamic certificate lookup features of Secure Guardian 5.5 further enable Global 2000 enterprises and government agencies to securely communicate with their customers and partners in ways that weren't possible using traditional email and website technologies."

About Tumbleweed
Tumbleweed is a leading provider of secure messaging solutions for businesses using the Internet. Tumbleweed's robust policy-based framework empowers organizations to safely share and protect critical information, increase customer loyalty and privacy and dramatically reduce costs. Tumbleweed is trusted by 1,000 blue-chip customers including American Express, Chevron, Datek Online, the European Union's Joint Research Council, First Union Wachovia, John Deere, Merrill Lynch, Nike, Northern Trust, NTT, Salomon Smith Barney, Travelers and the U.S. Food and Drug Administration. One hundred of the Fortune 500 are Tumbleweed customers. Tumbleweed Communications was founded in 1993 and is headquartered in Redwood City, California.

Tumbleweed cautions that forward-looking statements contained in this press release are based on current plans and expectations, and that a number of factors could cause the actual results to differ materially from the forward-looking statements made at this time. These factors are described in the Safe Harbor statement below. Tumbleweed undertakes no obligation to update this press release or statement about matters mentioned therein at any time, during the current quarter or in future quarters. Except for the historical information contained herein, the matters discussed in this press release may constitute forward-looking statements that involve risks and uncertainties that could cause actual results to differ materially from those projected, particularly with respect to Tumbleweed's products, the timing of new releases, and developments in the secure messaging industry. In some cases, forward-looking statements can be identified by terminology such as "may," "will," "should," "potential," "continue," "expects," "anticipates," "intends," "plans," "believes," "estimates," and similar expressions. For further cautions about the risks of investing in Tumbleweed, we refer you to the documents Tumbleweed files from time to time with the Securities and Exchange Commission, particularly Tumbleweed's Form 10-K filed March 30, 2002 and Form 10-Q filed August 14, 2002. Tumbleweed assumes no obligation to update information contained in this press release.