Unfortunately this has been the documented behaviour of :ssl (and, by extension, :httpc) all along, so the OTP team does not consider this a vulnerability. It is important that everyone is aware of it, and I would highly recommend adding test cases to verify that connections fail when they should (e.g. using https://badssl.com) to any application that includes some sort of TLS client.

The fact that a CA trust store is not included is no real excuse for not setting {:verify, :verify_peer}. Ideally that would be the default, which would cause TLS clients to fail unless the caller passed in the :cacertfile/:cacerts option or explicitly disabled verification with {:verify, :verify_none}.

Congrats on what seems to be an excellent work, just by the quick lookup I made

I found this to be a good primer on secure ssl/httpc usage: