Security
We appreciate responsible disclosure. If you find a security issue in GitNotifier, please report it privately and we will investigate quickly.
Report a vulnerability
Email us at [email protected] with details, reproduction steps, and any proof-of-concept.
Disclosure and safe harbor
Please keep findings confidential until we resolve the issue. Do not publicly disclose details without written approval.
If you act in good faith and follow this policy, we will not pursue legal action for your research.
Response expectations
We aim to acknowledge reports within 3 business days and share status updates as remediation progresses.
We do not currently run a public bug bounty program, but we may recognize impactful reports at our discretion.
Platform and infrastructure security
GitNotifier is built entirely on the Cloudflare platform and runs on serverless runtimes (Cloudflare Workers). This makes our workloads safer than traditional VMs or Docker containers. There is no long-lived server, host OS, or container image that we operate or that an attacker could compromise, and there is no SSH, shell, or persistent host to pivot into.
Each request runs in a lightweight, memory-isolated V8 isolate rather than a shared VM or container, so the attack surface is far smaller than a full operating system. Execution is ephemeral and stateless, with no persistent local filesystem for malware to install into, and Cloudflare keeps the underlying runtime patched across its global network.
We keep dependencies current automatically with Renovate, which opens pull requests to pick up the latest releases and patch known CVEs promptly.
We use pnpm to reduce supply chain risk. pnpm blocks automatic install scripts, commits a lockfile for reproducible installs, and delays newly published versions so a package that is later found to be malicious is most likely removed from the registry before we ever install it. That delay gives us a buffer during the window between a compromise being published and detected.
Related security resources
- Privacy Policy for details about what data GitNotifier stores, how it is used, and how deletion works.
- Security & Privacy Docs for OAuth protections, webhook validation, and token handling details.
- Slack Permissions for the Slack scopes GitNotifier requests and why they are needed.
Last updated: July 10, 2026