Skip to content

Security: gerfru/notion-sync

Security

SECURITY.md

Security Policy

Supported Versions

Version Supported
0.x

Reporting a Vulnerability

Please do not open a public GitHub issue for security vulnerabilities.

Report vulnerabilities privately via GitHub's private vulnerability reporting (Security → Report a vulnerability).

Include:

  • Description and potential impact
  • Steps to reproduce
  • Affected version(s)

Response time: I aim to acknowledge reports within 7 days and publish a fix within 30 days for confirmed vulnerabilities.

Security Design

notion-sync is a local CLI tool that runs on your own machine and talks directly to the Notion API and your self-hosted Docmost instance. There is no server component, no third-party data collection, and no telemetry.

  • Notion tokens and Docmost credentials are read from a local .env file (gitignored) - never committed, never transmitted anywhere except to the Notion API and the Docmost instance you configure
  • Exported Notion content (export/) and the Notion→Docmost id map (sync-map.json) are gitignored, since they may contain personal data
  • TLS certificate verification stays enabled by default; a custom CA cert (DOCMOST_CA_CERT_PATH) is only used to extend trust for self-signed/ internal-CA setups, not to disable verification

Scope

In scope: credential handling, injection vulnerabilities in the export/ import pipeline, path traversal in file handling.

Out of scope: the security of your own Notion account, your self-hosted Docmost instance's own configuration, or third-party dependencies (notion-downloader, notion-to-md) - report those upstream.

There aren't any published security advisories