We take the security of Chat Service seriously. If you believe you have found a security vulnerability, please report it to us as described below.

Please do not report security vulnerabilities through public GitHub issues.

Instead, please report them via email to:

📧 mehdi124@users.noreply.github.com

Please include the following information:

• Type of issue (e.g., buffer overflow, SQL injection, cross-site scripting, etc.)
• Full paths of source file(s) related to the issue
• Location of the affected source code (tag/branch/commit or direct URL)
• Any special configuration required to reproduce the issue
• Step-by-step instructions to reproduce the issue
• Proof-of-concept or exploit code (if possible)
• Impact of the issue, including how an attacker might exploit it

• Initial Response: Within 48 hours
• Status Update: Within 7 days
• Resolution Target: Within 30 days (depending on complexity)

1. Acknowledgment: We'll acknowledge receipt of your report
2. Assessment: We'll assess the vulnerability and determine its impact
3. Fix Development: We'll develop a fix for the vulnerability
4. Release: We'll release a patched version
5. Disclosure: After the fix is released, we'll publicly disclose the vulnerability

We consider security research conducted in accordance with this policy to be:

• Authorized concerning any applicable anti-hacking laws
• Authorized concerning any relevant anti-circumvention laws
• Exempt from restrictions in our Terms of Service that would interfere with conducting security research

We will not pursue legal action against researchers who:

• Make a good faith effort to avoid privacy violations and data destruction
• Do not exploit the vulnerability beyond demonstrating it
• Report vulnerabilities promptly

When deploying Chat Service:

1. Use strong secrets for JWT, Redis, and database passwords
2. Enable TLS/SSL for all connections in production
3. Keep dependencies updated regularly
4. Use environment variables for sensitive configuration
5. Enable firewall rules to restrict database/Redis access
6. Monitor logs for suspicious activity
7. Rotate credentials periodically

• WebSocket connections require valid JWT tokens
• File uploads are validated for type and size
• SQL queries use parameterized statements (via Bun ORM)
• Passwords and secrets should never be committed to version control

Thank you for helping keep Chat Service and its users safe!