Last updated: May 26, 2025

Notion Labs, Inc. looks forward to working with the security community to find security vulnerabilities in order to keep our businesses and customers safe.

We only accept disclosure via HackerOne, you can submit using this link:

HackerOne

Response Targets

Notion Labs, Inc. will make a best effort to meet the following response targets for hackers participating in our program:

• Time to first response (from report submit) - 3 business days
• Time to triage (from report submit) - 10 business days
• Time to resolution (from report submit) - Varies depending on severity

We’ll try to keep you informed about our progress throughout the process. Feel comfortable reaching out with any questions.

Disclosure Policy

• As this is a private program, please do not discuss this program or any vulnerabilities (even resolved ones) outside of the program without express consent from the organization.
• Follow HackerOne's disclosure guidelines.

Program Rules

• Please provide detailed reports with reproducible steps. If the report is not detailed enough to reproduce the issue, the issue will not be eligible for a reward.
• Submit one vulnerability per-report, unless you need to chain vulnerabilities to provide impact.
• When duplicates occur, we only award the first report that was received (provided that it can be fully reproduced).
• Multiple vulnerabilities caused by one underlying issue will be awarded one bounty.
• Social engineering (e.g. phishing, vishing, smishing) is prohibited.
• Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with the explicit permission of the account holder.
• Reports that cover more than one asset in scope will be paid out once at the highest paying in scope asset category.

In Scope Targets