| Version | Supported |
|---|---|
| 0.x | ✅ |
Please do not open a public GitHub issue for security vulnerabilities.
Report vulnerabilities privately via GitHub's private vulnerability reporting (Security → Report a vulnerability).
Include:
- Description and potential impact
- Steps to reproduce
- Affected version(s)
Response time: I aim to acknowledge reports within 7 days and publish a fix within 30 days for confirmed vulnerabilities.
notion-sync is a local CLI tool that runs on your own machine and talks directly to the Notion API and your self-hosted Docmost instance. There is no server component, no third-party data collection, and no telemetry.
- Notion tokens and Docmost credentials are read from a local
.envfile (gitignored) - never committed, never transmitted anywhere except to the Notion API and the Docmost instance you configure - Exported Notion content (
export/) and the Notion→Docmost id map (sync-map.json) are gitignored, since they may contain personal data - TLS certificate verification stays enabled by default; a custom CA cert
(
DOCMOST_CA_CERT_PATH) is only used to extend trust for self-signed/ internal-CA setups, not to disable verification
In scope: credential handling, injection vulnerabilities in the export/ import pipeline, path traversal in file handling.
Out of scope: the security of your own Notion account, your self-hosted
Docmost instance's own configuration, or third-party dependencies
(notion-downloader, notion-to-md) - report those upstream.