Security
Architecture
LeakBar is a local-only application. It does not make outbound network connections during normal operation. All data is collected, stored, and processed on your Mac.
No network calls from the app
The application does not call home during normal monitoring. The only production network dependency in the app is license validation for licensed product access. Monitoring, scoring, evidence capture, exports, and support bundles remain local-first.
No telemetry or analytics
LeakBar contains no telemetry, crash reporting hooks, or analytics SDKs. What happens on your machine stays on your machine.
Process Access Model
LeakBar observes only processes owned by the same user account that is running the app. It does not require root privileges and does not use a kernel extension (kext) or system extension.
- Same-user processes only
- No root, no sudo, no privilege escalation
- No kernel extension or system extension
- Read-only observation — LeakBar does not write to monitored processes
Data Storage
All collected data is stored in your user Library folder:
~/Library/Application Support/LeakBar/
On macOS, the license key is stored in the Keychain by default. LeakBar keeps local license state, machine identity, and validation timestamps in application storage.
Website and license service hardening
- Checkout, webhook, recovery, and validation routes send baseline security headers including HSTS, CSP, frame denial, and referrer policy
- The website publishes a
/.well-known/security.txtdisclosure entry - License validation is seat-aware and machine-bound at the issued-record layer
Code Signing and Notarization
- Signed with Developer ID by MLNavigator Inc.
- Hardened Runtime enabled
- Notarization is supported by the release packaging pipeline when Apple signing credentials are configured
Responsible Disclosure
If you discover a security vulnerability in LeakBar, please report it to:
Please include a description of the issue, steps to reproduce, and your assessment of impact. We will acknowledge receipt within 5 business days and aim to resolve confirmed issues promptly. A formal disclosure policy with coordinated disclosure timelines is forthcoming.