Security disclosure policy.
Spey Systems Ltd takes security seriously. This page describes how to report vulnerabilities responsibly and what to expect in response.
Last reviewed
Scope
This policy applies to all systems operated by Spey Systems Ltd, including speysystems.com, axilog.io, speytech.com, app.speybooks.com, and speybooks.com.
For vulnerabilities in open-source repositories hosted at github.com/SpeyTech, use GitHub's private vulnerability reporting feature where available, or contact the address below.
How to report
Send a description of the vulnerability to security@speysystems.com with the subject line "Security disclosure".
Include as much detail as is practical: affected system, reproduction steps, potential impact, and your assessment of severity. Do not include credentials, personal data belonging to others, or exploit code in an initial report.
Encrypted correspondence is supported. The public key for security@speysystems.com is available at:
- Fingerprint
542B D27C 60AD 4BDE E2DD D1EA 3C0B 2A08 4F0F 132B- Key type
- Ed25519
- Created
- 15 May 2026
Response timeline
- Acknowledgement
- Within 5 working days of receipt
- Initial assessment
- Within 10 working days
- Resolution target
- Within 90 days for critical issues; longer for complex architectural issues with advance notice
- Disclosure
- Coordinated disclosure after resolution. Spey Systems Ltd will credit researchers who report in good faith unless they request otherwise.
Expected conduct
Spey Systems Ltd asks that security researchers act in good faith: avoid accessing, modifying, or deleting data beyond what is necessary to demonstrate the vulnerability; do not perform denial-of-service testing; do not disclose publicly before resolution.
Spey Systems Ltd will not pursue legal action against researchers who act in good faith and follow this policy.
Contact
Security disclosures can also be submitted via the security.txt contact route.
Related: Privacy policy · Legal imprint · All policies