- Document
- SEC-001
- Version
- 1.0.0
- Updated
- 9 Feb 2026
- Audience
- Security / InfoSec
- Full reference
- Trust Center
- Contact
- security@feedoracle.io
Scope
FeedOracle is a data infrastructure platform. We aggregate, normalize, and cryptographically sign public data from blockchain networks, central banks, and climate data organizations. We do not hold customer funds, process payments on behalf of users, or store sensitive personal data beyond API credentials.
Cryptographic Signing
| Property | Details |
|---|
| Algorithm | ECDSA with secp256k1 (ES256K) |
| Key format | PEM-encoded, filesystem-stored, permissions 0600 |
| Signing scope | JSON payload + timestamp + endpoint path |
| Key discovery | JWKS: /.well-known/jwks.json · Alias: /jwks · PEM: /.well-known/feedoracle-signing.pub |
| Key rotation target | Annual. Old keys remain valid for verification of historical signatures for 12 months post-rotation. |
| Key generation | Generated on-server via OpenSSL. Private keys are never transmitted off-server. |
Independent verification: Any client can verify response signatures using the public key from the JWKS endpoint. No FeedOracle SDK required.
Transport Security
| Layer | Implementation |
|---|
| TLS | 1.2 and 1.3, managed via Cloudflare |
| HSTS | Enabled: max-age=31536000; includeSubDomains |
| Certificates | Cloudflare-issued, auto-renewed |
| DDoS protection | Cloudflare (always-on) |
Infrastructure Hardening
| Control | Implementation |
|---|
| SSH access | Key-only authentication (no password auth). Non-standard port. fail2ban enabled. |
| Firewall | Restrictive rules: only required ports exposed. All other traffic dropped. |
| OS | Ubuntu 24 LTS. Unattended security updates enabled. |
| Application isolation | Per-service systemd units with restart policies, resource limits. |
| Backups | Automated daily backups to geographically separate EU server. Encrypted in transit. |
| Monitoring | Real-time Telegram alerts for service failures, anomalous request patterns, disk/CPU thresholds. |
Access Controls
| Access type | Control |
|---|
| Server access | SSH key-only. Limited to platform operators (≤ 3 individuals). |
| API access | API key per customer. Rate-limited per tier. Keys revocable on request. |
| Database access | Local-only (no remote database connections exposed). |
| Admin panels | None exposed publicly. All administration via SSH. |
Vulnerability Disclosure
Responsible disclosure is welcome. Report vulnerabilities to security@feedoracle.io.
- Target acknowledgment: 48 hours
- Target resolution for critical issues: 72 hours
- No bug bounty program at this time