Security Advisory

Last updated
June 13, 2025

Sirius Computer, Inc. (“Sirius”) provides public notification of security vulnerabilities through publication of a Security Advisory document in PDF format posted on https://crux.sirius.computer/security-disclosure-policy. Each listed security vulnerability is assigned a CVE-ID (Common Vulnerabilities and Exposures - Identification) and a score based on the CVSS (Common Vulnerability Scoring System)™. Public Security Advisories provide information on the mitigation steps for each vulnerability.

There are currently no public advisories.

Security Disclosure Policy

Last updated
June 13, 2025

At Sirius Computer, Inc. (“Sirius”), the security of our products is our top priority. We proactively search for and respond to all reported security vulnerabilities, ensuring the rapid mitigation of issues and transparent communication with the security community, customers, partners, and end users. Our goal is to provide clear guidance on the solution, impact, severity, and mitigation of any identified vulnerabilities.

This policy currently applies to all Crux VPN products and components, including the SaaS edition, self-hosted edition, desktop and mobile clients, and supporting services (collectively, the “Crux products” or “products”).

Reporting a Potential Security Vulnerability

If you have identified a potential security vulnerability in a product, we encourage you to report it to us promptly. Please reach out to our security team at [email protected] with the following details:

  1. Affected Product(s) and Version(s): Specify the product(s) and version(s) where the vulnerability is observed.
  2. Detailed Description: Provide a thorough explanation of the vulnerability, including steps to reproduce the issue.
  3. Known Exploits (if applicable): Share information about any exploits you are aware of that leverage the vulnerability.

Our Commitment to the Security Community

Upon receiving your report, we will:

  • Acknowledge receipt of your submission within 1 business day.
  • Investigate and validate the reported issue.
  • Provide updates as we progress toward a resolution.
  • Coordinate the release of a fix or mitigation strategy, ensuring timely communication with all stakeholders.

We appreciate the collaboration of security researchers and professionals who help us maintain the safety and integrity of our products. Together, we can uphold the trust our users place in us.

Submitting a vulnerability report does not entitle the reporter to compensation, and Sirius does not operate a public bug bounty program. We do not guarantee that all reported issues will result in a fix or public advisory. Reports must not include data obtained through unauthorized access and must be submitted in good faith.