The following versions of Leef Browser currently receive security updates:
| Version | Supported |
|---|---|
| 0.x | ✅ Active support |
We take security seriously. If you discover a vulnerability in Leef Browser, please do not open a public GitHub issue.
Instead, report it privately so we can address it before public disclosure:
- Email: contact.qtech@proton.me
- GitHub: Use GitHub's private vulnerability reporting on this repository
Please provide as much detail as possible:
- A description of the vulnerability and its potential impact
- Steps to reproduce the issue
- The Leef Browser version affected
- Any proof-of-concept code or screenshots (if applicable)
| Stage | Timeframe |
|---|---|
| Initial acknowledgement | Within 48 hours |
| Severity assessment | Within 5 business days |
| Patch release (critical) | Within 14 days |
| Patch release (high/medium) | Within 30 days |
| Public disclosure | After patch is released |
- Remote code execution via the browser
- Sandbox escape from Electron's renderer process
- Authentication/session vulnerabilities
- Data exfiltration via the browser's network layer
- Issues in websites visited through Leef (not the browser itself)
- Missing security headers on third-party sites
- Denial of service requiring physical access
Leef Browser is built on Electron and uses the following security configuration:
webSecurity: true— enforces same-origin policy in webviewscontextIsolation: false/nodeIntegration: true— required for the current renderer architecture; a future update will migrate to a preload-based IPC model- All network-level ad/tracker blocking is handled in the main process via
session.webRequest - No external analytics or telemetry is collected
Leef Browser is developed by QTech.