It has been suggested in #10250 that there is a security vulnerability by which a running compiler can be attacked by a client. I'm extremely skeptical, but out of that discussion a few notes have arisen:

• Insufficient entropy in the client cookie - in theory, an attacker who can also reliably predict ports could connect and send serialization gadgets to the compiler process. Switching to SecureRandom should resolve this.
• Don't accept a client until it has presented a valid cookie, and invalidate that cookie when it is presented. If a client presents a bad cookie, log it and wait for another. This mitigates a potential DoS from an attacker who can accurately guess the port number within the narrow window while workers are starting.
• Only after a client is accepted should the ObjectInputStream be created, avoiding any potential for risk of an unauthenticated client attacking the server with untrusted serialized data.