We take a defense-in-depth approach. Below is exactly how we protect your data and your accounts — no marketing fluff, only verifiable facts from our codebase.
TraderBotz never holds, custodies, or controls user funds. We use trade-only API keys — no withdrawal permissions needed or supported. No withdrawal endpoints exist in our codebase. Your funds stay on your exchange accounts (Crypto.com, Coinbase, Robinhood, Polymarket) at all times. We cannot withdraw, transfer, or access your money.
Exchange API keys encrypted at rest with Fernet (AES-128-CBC + HMAC-SHA256). 2FA secrets and AI provider credentials use the same scheme. Key rotation support for re-encrypting credentials without downtime. Passwords hashed with bcrypt — never stored in plaintext.
JWT tokens: HS256, 1-hour access tokens, 7-day refresh tokens with rotation. TOTP two-factor authentication with recovery codes. OAuth: Apple Sign In, Google Sign In (server-side token verification). Account lockout: 5 failed attempts triggers 15-minute lockout. Rate limiting on all auth endpoints (3–10 requests/minute). Admin role separation — elevated privileges required.
Redis-backed rate limiting across all API endpoints. Default: 200 requests/minute. Auth endpoints: 3/minute for registration, 5/minute for login. Automatic lockout for brute-force attempts.
HMAC-SHA256 signed payloads on all node-to-server communication. 120-second replay protection window (rejects stale requests). Constant-time signature comparison (prevents timing attacks). Hardware fingerprinting detects unauthorized node duplication. Bytecode-only Docker images — source compiled to .pyc and stripped at build time.
TLS termination via Caddy with automatic certificate management. HTTP Strict Transport Security (HSTS). Content Security Policy (CSP). X-Frame-Options, X-Content-Type-Options, Referrer-Policy headers. All outbound API calls to exchanges and AI providers over HTTPS.
Encrypted backups (GPG). Internal services on isolated Docker networks. Bearer tokens redacted from application logs. JWT secrets validated at startup — cannot run with defaults.
Responsible disclosure process. We ask researchers to not disclose publicly until a patch is deployed. Contact: security@traderbotz.com.
We believe in honest disclosure. Here are the limitations we cannot overcome:
If you discover a vulnerability, please report it responsibly. We appreciate researchers who help us improve.
security@traderbotz.com