If you discover a security issue in Crucix, please report it privately instead of opening a public GitHub issue.

Email: celesthioailabs@gmail.com

Use a subject line like:

[Crucix Security] short description

Please include:

• affected component or file
• steps to reproduce
• impact
• proof of concept if available
• any suggested remediation

Best-effort targets:

• acknowledgement within 72 hours
• initial triage within 7 days
• coordinated disclosure after a fix is available

The highest-priority reports are:

• XSS or HTML/script injection in the dashboard
• unsafe rendering of mixed-source external content
• authentication or secret-handling issues
• server-side injection or path traversal
• dependency or supply-chain issues with real exploit impact

The following are generally lower priority unless they create a concrete exploit path:

• minor UI bugs
• missing best-practice headers without impact
• rate limiting or reliability issues without a security consequence

Please do not disclose the issue publicly until a fix is shipped or we agree on a disclosure timeline.