This scope is intended to explicitly exclude vulnerabilities in applications or packages written in Go that are not importable (for example, anything in package
main). See go.dev/security/vuln/database#excluded-reports for more information on excluded reports.
To report potential new vulnerabilities in the Go project, refer to go.dev/security/policy.
IMPORTANT: The form linked below creates a public issue on the issue tracker, and therefore must not be used to report undisclosed vulnerabilities in Go (see our security policy for instructions on reporting undisclosed issues).
To request a CVE ID for an existing PUBLIC vulnerability in the Go ecosystem, submit a request via this form.
A vulnerability is considered public if it has already been disclosed publicly, or it exists in a package you maintain, and you are ready to disclose it publicly.