[doc] a word on BigDecimal/BigInteger

commit: 5eb2c7ff643700a8ba77dbe9c29d6500f54031ef [log] [tgz]
author: Romain Manni-Bucau <rmannibucau@gmail.com> Tue Jul 25 12:19:55 2023 +0200
committer: Romain Manni-Bucau <rmannibucau@gmail.com> Tue Jul 25 12:19:55 2023 +0200
tree: db01dd39b6c964e6eea9498f8176ae2199f743c9
parent: b2827e596fbe005f935b368a82f5990fdb04a5e0 [diff]
diff --git a/src/site/markdown/security.md b/src/site/markdown/security.md
index f072a33..0b554bb 100644
--- a/src/site/markdown/security.md
+++ b/src/site/markdown/security.md

@@ -37,3 +37,13 @@
 should be addressed to the [mailing list](http://johnzon.apache.org/mail-lists.html).
 
 The private security mailing address is: security (at) apache (dot) org
+
+## BigInteger and Java
+
+JSON-P/JSON-B exposes API using `BigDecimal` and `BigInteger`.
+The bridge between these two types is `BigDecimal#toBigInteger` which has a slow implementation in Java without careness or scale max validation.
+
+Johnzon does some sanity checks on this value but at some point we recommend you to stay away from these API and handle big numbers using `String` type and parse them yourself since you are the only ones knowing the correct functional and relevant validation of the scale before a instantiation.
+
+If you know you don't need such big types, prefer using plain primitives (or wrappers).
+
commit	5eb2c7ff643700a8ba77dbe9c29d6500f54031ef	[log] [tgz]
author	Romain Manni-Bucau <rmannibucau@gmail.com>	Tue Jul 25 12:19:55 2023 +0200
committer	Romain Manni-Bucau <rmannibucau@gmail.com>	Tue Jul 25 12:19:55 2023 +0200
tree	db01dd39b6c964e6eea9498f8176ae2199f743c9
parent	b2827e596fbe005f935b368a82f5990fdb04a5e0 [diff]