ChatRoom is maintained in a low-touch, archive-ready mode. Security fixes are considered for the current default branch and the latest tagged release surface; historical tags and abandoned branches are not actively maintained.

1. Do not publish exploit details in public Issues, PRs, or Discussions.
2. Use GitHub's private vulnerability reporting flow when available: https://github.com/LessUp/chatroom/security/advisories/new
3. If that form is unavailable for your account, open a public issue or discussion only to request a private contact path. Do not include sensitive details in that public message.
4. Include the affected surface, reproduction steps, impact, and any suggested mitigation you already know.

• Prefer coordinated disclosure.
• Wait until maintainers have had a chance to triage and patch before publishing details.
• Security fixes and user-visible mitigations are communicated through the repository's canonical release surfaces.

• The app fails startup outside dev when JWT_SECRET is left at the default insecure value.
• Passwords are hashed with bcrypt.
• Access and refresh tokens have separate lifetimes and refresh rotation is persisted server-side.
• Production WebSocket authentication is expected to use one-time tickets instead of URL token passing.
• Frontend token storage is simplified for teaching purposes; production deployments should prefer a safer transport such as httpOnly cookies.

APP_ENV=production
JWT_SECRET=<32+ byte random secret>
DATABASE_DSN=<secure PostgreSQL DSN>
ALLOWED_ORIGINS=https://your-domain.example
LOG_LEVEL=warn
LOG_FORMAT=json

• Releases: https://github.com/LessUp/chatroom/releases
• Changelog: CHANGELOG.md

感谢所有负责任披露安全问题的研究者！