Security
Last updated: April 3, 2026. This page summarizes the current security posture for LeakBar and the companion licensing website.
Architecture
LeakBar is a local-first application. Monitoring, scoring, evidence capture, exports, and support bundles stay on your Mac. Licensed product access validates against leakbar.com and uses cached and grace behavior if that service becomes unavailable.
Minimal network dependency
The application does not call home for telemetry or monitoring. The only production network dependency in the app is license validation for licensed product access.
No telemetry or analytics
LeakBar contains no telemetry, crash reporting hooks, or analytics SDKs. What happens on your machine stays on your machine.
Process Access Model
LeakBar observes only processes owned by the same user account that is running the app. It does not require root privileges and does not use a kernel extension (kext) or system extension.
- Same-user processes only
- No root, no sudo, no privilege escalation
- No kernel extension or system extension
- Read-only observation — LeakBar does not write to monitored processes
Data Storage
All collected data is stored in your user Library folder:
~/Library/Application Support/LeakBar/
On macOS, the license key is stored in the Keychain by default. LeakBar keeps local license state, machine identity, and validation timestamps in application storage.
Website and license service hardening
- Checkout, webhook, recovery, and validation routes send baseline security headers including HSTS, CSP, frame denial, and referrer policy
- The website publishes a
/.well-known/security.txtdisclosure entry - License validation is seat-aware and machine-bound at the issued-record layer
Code Signing and Notarization
- Signed with Developer ID by MLNavigator Inc.
- Hardened Runtime enabled
- Notarization is supported by the release packaging pipeline when Apple signing credentials are configured
Responsible Disclosure
If you discover a security vulnerability in LeakBar, please report it to:
Please include a description of the issue, steps to reproduce, and your assessment of impact. LeakBar does not operate a public bug bounty program. We aim to acknowledge receipt within 5 business days and resolve confirmed issues promptly through coordinated disclosure.