If you discover a security issue in NotAlterra, report it privately through one of the channels below. Do not open a public issue.
- Go to the repository's Security tab: https://github.com/forkless/NotAlterra/security/advisories
- Click Report a vulnerability.
- Fill in the form — no GPG needed, the thread is private by default.
- GitHub can assign a CVE ID directly through their CNA.
If you cannot use the GitHub advisory form, email the maintainer directly:
Encrypted email is preferred when the report includes sensitive details or proof-of-concept code.
If you report a vulnerability in good faith and follow this policy — report privately, allow time for a patch, do not publish exploit code before a release — NotAlterra will not pursue legal action against you. Your testing is authorized within the scope defined below. No other authorization, express or implied, is granted.
- Acknowledgment: Within 48 hours of receipt.
- Patch: Fix committed within 48 hours of triage.
- Disclosure: Public advisory posted after the patch release ships.
These are best-effort targets. NotAlterra is maintained by a single person — real-life delays happen. If you haven't heard back within the timeline, a polite follow-up is welcome.
NotAlterra is an offline desktop application. Security concerns include but are not limited to:
- Unintended file writes outside declared paths.
- Path traversal in save-folder or backup-folder handling.
- Silent data corruption during backup or restore.
- Dependency vulnerabilities (monitored via
cargo-deny).
- Issues requiring physical access to the user's machine.
- Social engineering attacks.
- Malicious Subnautica 2 save files deliberately crafted to crash the parser (GVAS parsing errors are handled gracefully — no unsafe code).
Only the latest release receives security patches.
| Version | Supported |
|---|---|
| Latest | Yes |
| Older | No |