SECURITY DISCLOSURE POLICY

SECURITY ADVISORY

LAST UPDATED
MAY 27, 2026

SIRIUS COMPUTER, INC. (“SIRIUS”) PROVIDES PUBLIC NOTIFICATION OF SECURITY VULNERABILITIES THROUGH PUBLICATION OF A SECURITY ADVISORY DOCUMENT IN PDF FORMAT POSTED ON HTTPS://SIRIUS.COMPUTER/SECURITY-DISCLOSURE-POLICY. EACH LISTED SECURITY VULNERABILITY IS ASSIGNED A CVE-ID (COMMON VULNERABILITIES AND EXPOSURES - IDENTIFICATION) AND A SCORE BASED ON THE CVSS (COMMON VULNERABILITY SCORING SYSTEM)™. PUBLIC SECURITY ADVISORIES PROVIDE INFORMATION ON THE MITIGATION STEPS FOR EACH VULNERABILITY.

THERE ARE CURRENTLY NO PUBLIC ADVISORIES.

SECURITY DISCLOSURE POLICY

LAST UPDATED
MAY 27, 2026

AT SIRIUS COMPUTER, INC. (“SIRIUS”), THE SECURITY OF OUR PRODUCTS IS OUR TOP PRIORITY. WE PROACTIVELY SEARCH FOR AND RESPOND TO ALL REPORTED SECURITY VULNERABILITIES, ENSURING THE RAPID MITIGATION OF ISSUES AND TRANSPARENT COMMUNICATION WITH THE SECURITY COMMUNITY, CUSTOMERS, PARTNERS, AND END USERS. OUR GOAL IS TO PROVIDE CLEAR GUIDANCE ON THE SOLUTION, IMPACT, SEVERITY, AND MITIGATION OF ANY IDENTIFIED VULNERABILITIES.

SIRIUS IS A CVE NUMBERING AUTHORITY (CNA) AUTHORIZED BY THE CVE PROGRAM TO ASSIGN CVE IDS TO VULNERABILITIES AFFECTING PRODUCTS WITHIN ITS CNA SCOPE. THIS POLICY DESCRIBES HOW TO REPORT A VULNERABILITY, THE PROCESS REPORTERS SHOULD EXPECT, WHEN SIRIUS WILL ASSIGN AND PUBLISH A CVE ID, AND THE RESPONSIBILITIES OF THE REPORTER DURING COORDINATED DISCLOSURE.

SCOPE

THIS POLICY APPLIES TO ALL CRUX VPN PRODUCTS AND COMPONENTS, INCLUDING THE SAAS EDITION, SELF-HOSTED EDITION, DESKTOP AND MOBILE CLIENTS, AND SUPPORTING SERVICES (COLLECTIVELY, THE “CRUX PRODUCTS” OR “PRODUCTS”). THESE PRODUCTS CONSTITUTE THE SIRIUS CNA SCOPE FOR CVE ID ASSIGNMENT.

VULNERABILITIES IN THIRD-PARTY COMPONENTS REDISTRIBUTED WITHIN A SIRIUS PRODUCT ARE GENERALLY OUT OF SCOPE FOR SIRIUS CVE ASSIGNMENT AND SHOULD BE REPORTED TO THE UPSTREAM CNA OR PROJECT. WHERE SUCH A VULNERABILITY MATERIALLY AFFECTS A SIRIUS PRODUCT, SIRIUS MAY PUBLISH AN ADVISORY REFERENCING THE UPSTREAM CVE ID.

REPORTING A POTENTIAL SECURITY VULNERABILITY

IF YOU HAVE IDENTIFIED A POTENTIAL SECURITY VULNERABILITY IN A PRODUCT, WE ENCOURAGE YOU TO REPORT IT TO US PROMPTLY. PLEASE REACH OUT TO OUR SECURITY TEAM AT [email protected] WITH THE FOLLOWING DETAILS:

AFFECTED PRODUCT(S) AND VERSION(S): SPECIFY THE PRODUCT(S) AND VERSION(S) WHERE THE VULNERABILITY IS OBSERVED.
DETAILED DESCRIPTION: PROVIDE A THOROUGH EXPLANATION OF THE VULNERABILITY, INCLUDING STEPS TO REPRODUCE THE ISSUE, ANY PROOF-OF-CONCEPT CODE, AND THE OBSERVED AND EXPECTED BEHAVIOUR.
IMPACT ASSESSMENT: DESCRIBE THE POTENTIAL IMPACT, INCLUDING ATTACK VECTOR, PRIVILEGES REQUIRED, AND ANY CVSS V3.1 OR V4.0 SCORE YOU PROPOSE.
KNOWN EXPLOITS (IF APPLICABLE): SHARE INFORMATION ABOUT ANY EXPLOITS YOU ARE AWARE OF THAT LEVERAGE THE VULNERABILITY, AND WHETHER THE ISSUE IS BELIEVED TO BE ACTIVELY EXPLOITED.
REPORTER CONTACT DETAILS: A REPLY ADDRESS AND, IF YOU WISH TO BE CREDITED IN ANY RESULTING ADVISORY, THE NAME OR HANDLE AND AFFILIATION YOU WOULD LIKE PUBLISHED.

SENSITIVE TECHNICAL DETAILS MAY BE ENCRYPTED TO THE SIRIUS SECURITY TEAM OPENPGP KEY, AVAILABLE ON REQUEST FROM [email protected].

WHAT TO EXPECT AFTER YOU REPORT

WHEN A REPORT IS RECEIVED, SIRIUS WILL FOLLOW THIS PROCESS:

ACKNOWLEDGEMENT (WITHIN 1 BUSINESS DAY): WE WILL CONFIRM RECEIPT OF YOUR SUBMISSION AND ASSIGN AN INTERNAL TRACKING IDENTIFIER.
TRIAGE (WITHIN 5 BUSINESS DAYS): WE WILL VALIDATE THE REPORT, ATTEMPT TO REPRODUCE THE ISSUE, DETERMINE WHETHER IT FALLS WITHIN OUR CNA SCOPE, AND PROVIDE AN INITIAL ASSESSMENT INCLUDING A PROVISIONAL SEVERITY.
INVESTIGATION AND REMEDIATION: WE WILL IDENTIFY AFFECTED VERSIONS, DEVELOP A FIX OR MITIGATION, AND AGREE A COORDINATED DISCLOSURE DATE WITH THE REPORTER. WE AIM FOR REMEDIATION WITHIN 90 DAYS OF VALIDATION; ISSUES OF HIGHER SEVERITY OR ACTIVE EXPLOITATION WILL BE PRIORITISED ACCORDINGLY.
STATUS UPDATES: WE WILL PROVIDE WRITTEN UPDATES TO THE REPORTER AT LEAST EVERY 14 DAYS UNTIL THE ISSUE IS CLOSED.
DISCLOSURE: ONCE A FIX OR MITIGATION IS AVAILABLE, OR THE AGREED DISCLOSURE DATE IS REACHED, WE WILL PUBLISH AN ADVISORY AND THE ASSOCIATED CVE RECORD.

CVE ID ASSIGNMENT

SIRIUS WILL ASSIGN A CVE ID TO ANY VULNERABILITY THAT MEETS ALL OF THE FOLLOWING CRITERIA:

IT AFFECTS A PRODUCT WITHIN THE SIRIUS CNA SCOPE.
IT HAS BEEN VALIDATED BY THE SIRIUS SECURITY TEAM AS A GENUINE VULNERABILITY AS DEFINED BY THE CVE PROGRAM (AN ISSUE THAT VIOLATES THE PRODUCT’S INTENDED SECURITY POLICY).
IT IS DISTINCT FROM ANY VULNERABILITY ALREADY COVERED BY AN EXISTING CVE ID.

THE CVE ID WILL TYPICALLY BE RESERVED PROMPTLY AFTER TRIAGE AND CONFIRMATION, AND IN ALL CASES PRIOR TO PUBLIC DISCLOSURE. WHERE A REPORTER REQUIRES A CVE ID IN ADVANCE OF DISCLOSURE — FOR EXAMPLE TO COORDINATE WITH DOWNSTREAM VENDORS — SIRIUS WILL RESERVE AN ID ON REQUEST ONCE THE ISSUE HAS BEEN VALIDATED.

IF SIRIUS DETERMINES THAT A REPORTED ISSUE IS OUT OF SCOPE, IS NOT A VULNERABILITY, OR IS A DUPLICATE, WE WILL EXPLAIN THE DECISION TO THE REPORTER. REPORTERS WHO DISAGREE WITH A CVE ASSIGNMENT DECISION MAY ESCALATE THROUGH THE CVE PROGRAM’S DISPUTE PROCESS VIA THE CNA OF LAST RESORT.

PUBLICATION OF CVE RECORDS AND ADVISORIES

SIRIUS WILL PUBLISH THE CVE RECORD AND A CORRESPONDING SECURITY ADVISORY AT THE EARLIER OF (A) THE RELEASE OF A FIX OR MITIGATION OR (B) THE COORDINATED DISCLOSURE DATE AGREED WITH THE REPORTER. IN CASES OF ACTIVE EXPLOITATION OR PUBLIC DISCLOSURE BY A THIRD PARTY, SIRIUS MAY PUBLISH EARLIER TO PROTECT USERS.

EACH ADVISORY WILL INCLUDE THE CVE ID, AFFECTED PRODUCTS AND VERSIONS, A DESCRIPTION OF THE VULNERABILITY, A CVSS SCORE AND VECTOR, MITIGATION OR FIX INFORMATION, AND — WHERE THE REPORTER HAS CONSENTED — CREDIT TO THE REPORTER. THE CVE RECORD WILL BE SUBMITTED TO THE CVE PROGRAM AND MADE AVAILABLE THROUGH CVE.ORG AND THE NATIONAL VULNERABILITY DATABASE (NVD). THE SIRIUS ADVISORY WILL BE POSTED ON HTTPS://SIRIUS.COMPUTER/SECURITY-DISCLOSURE-POLICY.

EXPECTATIONS OF VULNERABILITY REPORTERS

TO MAINTAIN A SAFE AND PRODUCTIVE COORDINATED DISCLOSURE PROCESS, WE ASK REPORTERS TO:

REPORT IN GOOD FAITH AND ACT ONLY ON SYSTEMS, ACCOUNTS, AND DATA YOU OWN OR ARE EXPLICITLY AUTHORISED TO TEST.
AVOID ACTIONS THAT DEGRADE, DISRUPT, OR DESTROY DATA OR SERVICE FOR OTHER USERS, INCLUDING DENIAL-OF-SERVICE AND HIGH-VOLUME AUTOMATED TESTING AGAINST PRODUCTION SYSTEMS.
ACCESS ONLY THE MINIMUM DATA NECESSARY TO DEMONSTRATE A VULNERABILITY, AND DELETE ANY SUCH DATA AS SOON AS THE REPORT IS COMPLETE.
MAINTAIN THE CONFIDENTIALITY OF THE VULNERABILITY UNTIL A FIX OR MITIGATION HAS BEEN RELEASED, OR UNTIL THE COORDINATED DISCLOSURE DATE AGREED WITH SIRIUS HAS PASSED.
NOT PUBLICLY DISCLOSE, SHARE WITH THIRD PARTIES (OTHER THAN THE CVE PROGRAM OR DOWNSTREAM VENDORS REQUIRED FOR COORDINATION), OR EXPLOIT THE VULNERABILITY BEFORE THE COORDINATED DISCLOSURE DATE.
WORK WITH SIRIUS ON THE TIMING AND CONTENT OF ANY PUBLIC WRITE-UP, AND ALLOW SIRIUS A REASONABLE OPPORTUNITY TO REVIEW TECHNICAL DETAILS PRIOR TO PUBLICATION.

SIRIUS WILL TREAT REPORTS RECEIVED IN ACCORDANCE WITH THIS POLICY AS AUTHORISED SECURITY RESEARCH AND WILL NOT PURSUE LEGAL ACTION AGAINST RESEARCHERS WHO ACT IN GOOD FAITH AND IN COMPLIANCE WITH THIS POLICY. THIS COMMITMENT DOES NOT APPLY TO RESEARCH CONDUCTED IN VIOLATION OF APPLICABLE LAW, IN BAD FAITH, OR THAT CAUSES HARM TO SIRIUS, ITS CUSTOMERS, OR THIRD PARTIES.

OUR COMMITMENT TO THE SECURITY COMMUNITY

WE APPRECIATE THE COLLABORATION OF SECURITY RESEARCHERS AND PROFESSIONALS WHO HELP US MAINTAIN THE SAFETY AND INTEGRITY OF OUR PRODUCTS. WHERE A REPORTER WISHES TO BE CREDITED, SIRIUS WILL ACKNOWLEDGE THEIR CONTRIBUTION IN THE PUBLISHED ADVISORY AND CVE RECORD.

LEGAL DISCLAIMER

SUBMITTING A VULNERABILITY REPORT DOES NOT ENTITLE THE REPORTER TO COMPENSATION, AND SIRIUS DOES NOT OPERATE A PUBLIC BUG BOUNTY PROGRAM. WE DO NOT GUARANTEE THAT ALL REPORTED ISSUES WILL RESULT IN A FIX, ADVISORY, OR CVE ASSIGNMENT. REPORTS MUST NOT INCLUDE DATA OBTAINED THROUGH UNAUTHORISED ACCESS AND MUST BE SUBMITTED IN GOOD FAITH.