Nov 8, 2021, 7:00:10 AM11/8/21
Bugs that cause archive/zip.Reader to panic on certain input files are
treated as security issues, while similar bugs for debug/elf.File are
I think treating these file formats them differently makes sense, given
different usage scenarios. However, I couldn't find an obvious place
where this is documented.
Maybe Go could adopt some standard language (“This package is not
expected to be used to process untrusted input data.”) and reference
that in the security policy?