There is a Google Summer of Code proposal project [1] for adding features to Hex that will allow users to report security vulnerabilities, maintaining a database of confirmed vulnerabilities, and displaying the reports on the hex.pm website and CLI tooling. I have talked about this in the past [2] and I hope it can work similar to NPM’s feature set for reporting and curating vulnerabilities that @kitplummer linked to.
[1] https://github.com/erlef/gsoc/wiki/Project:-Elixir#idea-2-package-vulnerability-disclosure-for-hex
[2] Create Hex.pm Vulnerability Disclosure Feature
