Security
Last updated: April 3, 2026. This page summarizes the current security posture for LeakBar and the companion licensing website.
Architecture
LeakBar is a local-first application. Monitoring, scoring, evidence capture, exports, and support bundles stay on your Mac. Licensed product access validates against leakbar.com and uses cached and grace behavior if that service becomes unavailable. Trial registration sends the setup email, a machine identifier, first-run time, and app version when available; leakbar.com derives the trial dates needed for lifecycle emails.
Minimal network dependency
The application does not call home for telemetry or monitoring. The licensing surface remains license validation, trial registration, and trial lifecycle emails: the app submits validation and registration requests, while leakbar.com sends lifecycle emails. Packaged installs can also use signed in-app update checks when enabled.
No telemetry or analytics
LeakBar contains no telemetry, crash reporting hooks, or analytics SDKs. What happens on your machine stays on your machine.
Process Access Model
LeakBar observes only processes owned by the same user account that is running the app. It does not require root privileges and does not use a kernel extension (kext) or system extension.
- Same-user processes only
- No root, no sudo, no privilege escalation
- No kernel extension or system extension
- Read-only observation — LeakBar does not write to monitored processes
Data Storage
All collected data is stored in your user Library folder:
~/Library/Application Support/LeakBar/
On macOS, the license key is stored in the Keychain by default. LeakBar keeps local license state, machine identity, and validation timestamps in application storage.
Website and license service hardening
- Checkout, webhook, recovery, and validation routes send baseline security headers including HSTS, CSP, frame denial, and referrer policy
- The website publishes a
/.well-known/security.txtdisclosure entry - License validation is seat-aware and machine-bound at the issued-record layer
Code Signing and Notarization
- Signed with Developer ID by MLNavigator Inc.
- Hardened Runtime enabled
- Notarization is supported by the release packaging pipeline when Apple signing credentials are configured
Responsible Disclosure
If you discover a security vulnerability in LeakBar, please report it to:
Please include a description of the issue, steps to reproduce, and your assessment of impact. LeakBar does not operate a public bug bounty program. We aim to acknowledge receipt within 5 business days and resolve confirmed issues promptly through coordinated disclosure.