AI Found 5 CVEs in One Afternoon — The BEAM Security Wake-Up Call | Peter Ullrich & Jonathan Machen

The BEAM ecosystem spent decades flying under the radar - too niche to attract serious attackers. That era is over.

In this episode, we sit down with Peter Ullrich, the developer who ran a $10 experiment at ElixirConf EU in Málaga and discovered a vulnerability that could crash the BEAM with a 13-character string - with zero prior security experience. Then we hear from Jonathan Machen, CISO of the Erlang Ecosystem Foundation, whose job is to catch and coordinate everything Peter finds.

We cover:

• How Peter built a simple bash script that scanned the most-downloaded Hex packages - and what he found

• Why LLMs have changed the cost and skill floor for vulnerability research forever

• The CVE disclosure process: what happens from the moment a bug is found to the moment it's published

• How the EEF's CNA went from 9 CVEs in a year to more in a single week

• What library maintainers should do right now (spoiler: it's three clicks on GitHub)

• The AGES initiative, supply chain security, and the gap between what's been built and what the moment demands

• Why paying a vendor like Trivy isn't enough - and what actually needs to happen

If you run Phoenix in production, this episode is required listening.

Resources mentioned:

• Peter's blog post and prompts: github.com/pultrich (linked in post)

• Linux Foundation's Scrutineer project

• Report vulnerabilities: [email protected]

• Support the Erlang Ecosystem Foundation: erlef.org