Peter Ullrich on Hunting CVEs

Описание: Peter Ullrich returns to break down how he's using Claude Code (Opus 4.7) to scan the most-downloaded Hex packages for vulnerabilities, the string of CVEs he's already reported, and what it means for the BEAM ecosystem now that finding a serious exploit can cost as little as $10. We get into his setup, his open-sourced prompts, and the responsible disclosure process he runs with the EEF.

0:00:00 - Intro and sponsors
0:01:10 - Peter returns: the CVE hunt across Hex packages
0:03:10 - Why he started, and pointing Claude Code at the most-downloaded packages
0:04:58 - The first finding: the Decimal vulnerability
0:10:38 - What makes a real CVE: the CVSS scoring system
0:12:49 - Attack surface and reachable code paths in Phoenix
0:19:14 - Working with the EEF and the reporting process
0:23:24 - Reading Claude's reports and probing a library's public API
0:27:59 - Regulation, breach reporting, and who should be accountable
0:37:51 - Avoiding slop reports and how maintainers respond
0:41:27 - Becoming a CNA and how a CVE number gets issued
0:48:47 - Funding the work and comparing Opus to Mythos
0:52:05 - Trying other models vs. sticking with Claude
1:01:55 - Opus 4.8 first impressions and the ~$10 scan
1:06:17 - Peter's Session Watcher plugin
1:08:03 - Killswitch: zero-knowledge storage and growing a SaaS
1:10:59 - AEO and the shifting shape of web search
1:19:19 - Dev containers for running coding agents
1:27:25 - Social media and developer visibility
1:34:36 - Back to vulnerabilities: the Decimal debate on Reddit
1:44:46 - Dead man's switches, Killswitch, and digital privacy

Resources Mentioned:
The blog post that started this: https://peterullrich.com/what-the-cve...
Peter's open-sourced prompts (gist): https://gist.github.com/PJUllrich/c8b...
Scrutineer (basis for the deep scan): https://github.com/alpha-omega-securi...
Decimal advisory (the first finding): https://github.com/ericmj/decimal/sec...
EEF CNA published CVEs: https://cna.erlef.org/cves/?utm_sourc...
EEF CNA security policy: https://cna.erlef.org/security-policy...
Responsible disclosure guidelines: https://security.erlef.org/security_v...
Anthropic article the setup was based on: https://red.anthropic.com/2026/proper...

Connect with Peter:
Website: https://peterullrich.com/?utm_source=...
GitHub: https://github.com/pjullrich?utm_sour...
LinkedIn: https://linkedin.com/in/pjullrich?utm...
Bluesky: https://bsky.app/profile/peterullrich...

THANKS TO OUR SPONSORS
BEAMOps: https://beamops.co.uk?utm_source=elix...
Paraxial.io: https://paraxial.io?utm_source=elixir...

SUPPORT ELIXIR MENTOR
Elixir Mentor: https://elixirmentor.com/?utm_source=...

#ElixirLang #BEAM #AppSec #ClaudeCode #ElixirMentor