TL;DR (Quick Summary)
We take browser security seriously. If you find a security issue in Leef Browser, here is a quick overview of how we handle it. Look for the Verification Markers (e.g., S1) in the full text below.
- S1 Reporting: Report all potential vulnerabilities to contact.qtech@proton.me. Verify →
- S2 Scope: In-scope items are Leef UI, settings, and custom configuration layers. Upstream Chromium bugs are out of scope. Verify →
- S3 Timeline: We triage reports within 48 hours and fix confirmed flaws as fast as possible. Verify →
- S4 Guarantees: Since we don't run external sync servers, your browser settings and local databases are completely protected on-device. Verify →
Supported Versions
We actively support security updates for the current major release of Leef. Below is the support status for active version branches.
| Version Branch | Supported | Security Support Status |
|---|---|---|
| 1.x.x | ✔️ Yes | Active security support for v1.0.0 release. |
| 0.x.x | ❌ No | Discontinued for security support as of June 1st, 2026 to make way for the release of v1.0.0. Please upgrade to receive future security patches. |
Reporting Vulnerabilities
Vulnerability Disclosure Email S1
Please report any suspected vulnerability to our core team via email at contact.qtech@proton.me.
To help us triage and resolve the issue quickly, please include:
- A clear description of the vulnerability and its potential impact.
- Step-by-step instructions to reproduce the issue (including any specific platforms or browser versions affected).
- A working Proof of Concept (PoC) or script, if applicable.
- Whether you wish to be credited publicly or remain anonymous.
Note: Please do not open public GitHub issues for security vulnerabilities, as this exposes users to potential exploits before a patch can be deployed.
Policy Scope
Our security policy applies to software components directly developed and maintained under the Leef Browser project.
In-Scope (Leef UI & Features) S2
- ✔️ Custom UI / Toolbar vulnerabilities
- ✔️ Slop Scanner configuration & interaction logic
- ✔️ Warp Speed search parameters & engine isolation
- ✔️ Local state databases (history, cookies, credentials)
- ✔️ Auto-update checker & installer signatures
Out-of-Scope (Chromium / External)
- ❌ Standard Chromium upstream bugs (Blink, V8, etc.)
- ❌ Security flaws on third-party websites you visit
- ❌ Third-party extensions installed by the user
- ❌ Operating system or driver-level vulnerabilities
Disclosure & Timeline
Our Commited Response Timeline S3
We are a lean, open-source team. We dedicate our time to resolving issues quickly and transparently. When we receive a report:
- Triage: We will acknowledge and verify your report within 48 hours of receipt.
- Fix: Confirmations are assigned a severity level, and we aim to deploy patches within 14 days for critical issues.
- 90-Day Disclosures: We adhere to the standard coordinated disclosure timeline. Public disclosures of details are coordinated at least 90 days after reports (or sooner once a patch is live).
- Attribution: We will proudly credit you in the release notes on GitHub and our website (unless you opt for anonymity).
Note: Leef does not run a bug bounty program with financial rewards. We are fully open source, and all of our contributions (and those of our researchers) are public-domain donations to the community.
Security Guarantees
Zero Telemetry = Zero Exposure S4
The primary security advantage of Leef is its structural simplicity. Because we do not offer cloud sync, do not collect browser telemetry, and do not maintain user databases on our servers:
- No Cloud Vectors: Your profile cannot be leaked in a server breach.
- Local Isolation: All sensitive data (passwords, cookies, history) is encrypted using your system's native OS keychain (Windows Credential Manager / macOS Keychain).
- Stripped Handshakes: We actively configure the Chromium engine to drop tracking and telemetry requests, reducing the active connection surface.