LeivOS Buy
Security

Built secure, not patched secure.

Most of what makes a modern computer dangerous is the software it runs from strangers. LeivOS removes that path entirely — and replaces it with software written, reviewed, and audited by our own security engineers.

Secure multi-user

Every account on a LeivOS machine has its own home, its own processes, and its own permissions. One user cannot read or modify another user's files. The administrator account is separated from your day-to-day account, the way it always should have been.

No third-party apps. No viruses.

LeivOS does not load arbitrary software off the internet. Every application that runs on the system is one we wrote and shipped. There is no app store full of unverified developers, no driver signed by a stranger, no ".exe from the web" path. The category of malware that thrives on those vectors does not exist here.

In-house, end to end

Every app, every library, the kernel, the network stack, and the cryptography are written, reviewed, and audited by our own security engineers. Nothing is vendored. Nothing is forked. We can read every line of code that runs on your machine — and so can our auditors.

The threat we removed

You can't get a virus from an app you can't install.

The dominant way ordinary computers get compromised in 2026 is the user installing software they shouldn't have. A bundled toolbar. A "free" PDF tool. An update prompt that wasn't really an update. A driver from the wrong website.

LeivOS does not have that path. There is no third-party installer. There is no driver trust ladder for hardware we did not test. There is no plug-in marketplace populated by strangers. The set of programs that can run on your LeivOS machine is the set we shipped, plus the ones you write for yourself.

That is a real trade-off. It is also the thing that makes the system safe in a way an antivirus can never make Windows safe.

Defense in depth

Every layer, hardened.

We don't lean on a single mitigation. Each layer of LeivOS is built so a failure at one level is contained at the next.

Kernel

  • Per-process address spaces with hard memory limits
  • Guard pages below every kernel-created user stack
  • Capability-checked surface IDs and IPC handles
  • Per-process privilege manifest gating raw network and device access
  • NX, SMEP, SMAP enforced where the CPU exposes them

Userspace

  • Apps run unprivileged by default; raising privilege requires explicit consent
  • Window manager survives any single client crashing or being killed
  • No telemetry agent, no crash uploader, no analytics service
  • Files live in plain folders on disk — nothing is silently uploaded

Cryptography

  • TLS 1.3 implemented from scratch — no vendored library
  • Every primitive validated against published RFC test vectors
  • X25519, AES-GCM, ChaCha20-Poly1305, RSA-PSS, P-256 ECDSA — all in-house
  • X.509 chain validation against real OpenSSL-generated certificates
  • WPA2-PSK Wi-Fi with verified 4-way handshake against captured fixtures

Privacy

  • No data collection. No background analytics. No "experience improvement program."
  • Update checks transmit the version number only; logs deleted after 14 days
  • No advertising surfaces anywhere in the system
  • Your purchase information is held only by us and the payment processor
In-house audit

Our security engineers wrote it. Our security engineers audit it.

Every change to LeivOS goes through code review by an engineer with a security background. Every cryptographic primitive is required to validate against published RFC test vectors before it is allowed to merge. Every release is regression-tested against captured adversarial inputs — including, in the case of Wi-Fi, real wire bytes from a throwaway access point.

Because we wrote the code, we can answer what a piece of code does. Because the codebase is small, we can answer it quickly. Because there are no upstream dependencies to chase, the answer does not change between releases.

Read more about how the cryptographic stack was built and tested in the development blog — the TLS 1.3 and WPA2 posts are good places to start.

Common questions

Security FAQ.

Why is closed source more secure here? +

For most projects, open source is a security advantage — many eyes find bugs faster. We chose closed source for the LeivOS userland and kernel for a different reason: we want to control exactly what code lands on your machine. There is no chain of upstreams to trust, no contributor whose commit might slip through, and no fork that quietly diverges. Our own security engineers audit every change. Tape language sources ship with the Pro license for developers who want to inspect what their applications run on.

How do you handle vulnerabilities once you find one? +

A confirmed vulnerability is fixed in the next point release within the major version you bought. Your license includes those updates. We disclose what was fixed, what was affected, and how to verify the fix has landed. We do not embargo our own users.

What about supply chain attacks? +

There is no supply chain in the conventional sense. LeivOS does not pull dependencies from a public package registry. The build is reproducible from the source we control, on infrastructure we control. The installer image is signed, and the signature is independent of the OS being installed.

Can I run my own software? +

Yes — code you write yourself, in Tape or compiled against the LeivOS APIs, runs on your machine. The system does not run software you simply download from the internet. That is the point.

Where do I report a security issue? +

security@leivos.com. PGP key on request. We answer within one business day.

Responsible disclosure

Found something? Tell us first.

Email security@leivos.com. We answer within one business day. Coordinated disclosure is the norm; we credit you in the release notes.

Contact security