BEAM There, Done That - The BEAM security wake-up call episode

Blogs & Podcasts Podcasts
,
1

We just published a new episode of BEAM There, Done That that I think deserves a focused discussion here.

Peter Ullrich spent an afternoon at ElixirConf EU running a $10 Claude experiment against the most-downloaded Hex packages. He found a critical vulnerability in decimal - a library used by almost every database and money-handling package in the ecosystem - in under 30 minutes, with no prior security experience. Since then he’s been systematically scanning further down the list and has reported roughly twice as many vulnerabilities as have been published so far.

Jonathan Machen, EEF CISO and operator of the Erlang Ecosystem Foundation’s CVE Numbering Authority, joins to explain what happens on the receiving end of those reports and where the infrastructure currently stands.

For library maintainers specifically: Jonathan’s single recommendation is to enable private vulnerability reporting on GitHub (three clicks) and write a security policy. If Peter finds something in your library, this is how he reaches you privately before anything is public. Without it, disclosure gets significantly harder for everyone.

The patterns appearing most often:

  • String.to_atom/1 and binary_to_term/1 enabling atom table exhaustion or remote code execution

  • HTTP libraries with missing buffer caps on WebSocket connections

  • Sobelow and Credo catch a meaningful portion of these statically

Peter’s prompts are open source - linked from his blog post if you want to run a scan on your own codebase. He recommends feeding your application file-by-file to Claude Opus with a prompt focused on externally-reachable attack vectors.

The bigger picture: the obscurity advantage the ecosystem relied on for 30 years is eroding. The EEF is building real infrastructure to replace it (CNA, AGES initiative, supply chain security), but it’s currently funded by a single sponsorship and staffed largely by volunteers. If your company is running Phoenix in production, that’s worth thinking about.

Happy to discuss the technical patterns, the disclosure process, or anything else from the episode.

5 Likes
2

AI just changed the threat model for our ecosystem - here’s what’s happening and what you should do

That’s a scary headline. Maximum fear! Great marketing. I bet it was written by AI.

Cui bono? Here comes the ‘security consultants’, regulators and foundations. For your safety.

2 Likes
3

For library maintainers specifically: Jonathan’s single recommendation is to enable private vulnerability reporting on GitHub (three clicks) and write a security policy. If Peter finds something in your library, this is how he reaches you privately before anything is public. Without it, disclosure gets significantly harder for everyone.

Good idea, I added a SECURITY.md and enabled private channel reporting on all my Elixir repos :slight_smile:

4

Can you break this down? I haven’t yet watched the video.

1 Like
5

Sorry I forgot to add the quote to my answer! I was referring to that low hanging fruit of just enabling private reporting on github.