Elixir Mentor

Peter Ullrich returns to talk about a CVE hunt across the most-downloaded Hex packages, run with Claude Code on Opus 4.7. After ElixirConf EU pulled him into AI security, he started pointing Opus at popular libraries day and night, and within half an hour of his first serious attempt he found the Decimal vulnerability, where raising 10 to a huge power can blow up an application's memory.
We get into what separates a real CVE from noise, how CVSS scoring works, and why reachability matters so much, since a flaw in Phoenix's default configuration is far more serious than a crash in a function nobody can call. Peter also walks through the process he runs with the EEF: verifying each issue, getting a second pair of eyes, coordinating a fix, and getting a number issued through a CNA, all while avoiding slop reports to maintainers. There's also a candid stretch on regulation and breach reporting.
From there it widens out, including how Opus compares to Mythos, why Peter keeps coming back to Claude, his first impressions of Opus 4.8, and the economics, with a simple scan costing about $10 in API tokens. He also shares his Session Watcher plugin, an update on Killswitch and its browser-side encryption, thoughts on AEO, and how he uses dev containers to sandbox coding agents.
Resources Mentioned:
- The blog post that started this:https://peterullrich.com/what-the-cve
- Peter's prompts:gist
- Scrutineer:github.com/alpha-omega-security/scrutineer
- Decimal advisory:GHSA-rhv4-8758-jx7v
- EEF CNA published CVEs:cna.erlef.org/cves
- EEF CNA security policy:cna.erlef.org/security-policy
- Responsible disclosure guidelines:security.erlef.org
- Anthropic article (the basis):red.anthropic.com
Connect with Peter:
- Website:peterullrich.com
- GitHub:github.com/pjullrich
- LinkedIn:linkedin.com/in/pjullrich
- Bluesky:@peterullrich.com
Thanks to our sponsors:
- BEAMOps:beamops.co.uk
- Paraxial.io:paraxial.io
SUPPORT ELIXIR MENTOR
- Elixir Mentor:elixirmentor.com

In this episode of the Elixir Mentor Podcast, I sit down with Jason Allum, creator of Bedrock and Beadwork and a 40-year veteran of computing, to talk about Bedrock: an embedded, distributed key-value store for Elixir with guarantees that go beyond ACID.
Jason walks through the problem Bedrock solves, keeping distributed state consistent when the same data is read and written across many nodes. We get into why the BEAM's decades-old ideas map cleanly onto today's AI and agent workloads, how Bedrock borrows its architecture from FoundationDB, and what serializable transactions actually buy you over plain ACID.
From there we dig into the machinery: log servers versus storage servers, the five-second version window and MVCC, letting it crash with supervision-tree thinking across a cluster, and how rows can live as values while indexes become keys. Jason also covers running distributed jobs with leases and what it takes to swap Postgres out for Bedrock.
Along the way Jason makes the case that none of this is magic, that the real wins come from understanding your machine and the shape of your data. We finish on Beadwork, his lightweight system for managing agent tickets directly in git. If you build with Elixir or care about distributed databases, there's a lot here to chew on.
Connect with Jason:
- X/Twitter:https://x.com/mullaj
- GitHub:https://github.com/jallum
Projects:
- Bedrock:https://github.com/bedrock-kv/bedrock
- Beadwork:https://github.com/jallum/beadwork
Resources Mentioned:
- Notes on the FoundationDB paper:https://uvdn7.github.io/notes-on-the-foundationdb-paper/
- FoundationDB architecture:https://apple.github.io/foundationdb/architecture.html
- Raft consensus algorithm (GeeksforGeeks):https://www.geeksforgeeks.org/system-design/raft-consensus-algorithm/
- The Raft Consensus Algorithm:https://raft.github.io/
Sponsors:
- BEAMOps:https://beamops.co.uk
- Paraxial.io:https://paraxial.io
- Jido (Elixir AI Collective Discord):https://agentjido.xyz/discord
SUPPORT ELIXIR MENTOR
- Elixir Mentor:https://elixirmentor.com

Michael Lubas, CEO of Paraxial.io, returns to the Elixir Mentor Podcast to talk about AI's dual role in cybersecurity: finding the vulnerabilities and writing the code that creates them. Michael was my first-ever guest, and a lot has changed since his last appearance — most of it driven by the inflection point of the past six months.
We open with the Hex package manager penetration test that Paraxial conducted as part of the Aegis initiative under the Erlang Ecosystem Foundation, funded through Alpha Omega and its donors. Michael caught a remote code execution vulnerability before it shipped, and the public report gives Elixir a strong story to tell about the security of its package ecosystem. From there we get into GitHub Actions supply chain attacks, why zizmor is the tool every maintainer should be running, and the recent campaigns where malicious code targets release pipelines rather than application source.
The conversation turns to the AI inflection point. The Erlang Ecosystem Foundation's CNA issued nine CVEs in all of 2025 and is on track for well over a hundred in 2026, driven by researchers like Peter Ullrich using AI to find vulnerabilities that already existed in source code. Firefox went from an average of 20 valid bug reports a month to over 400 in April 2026. Michael argues that Anthropic and OpenAI have been responsible stewards of these capabilities, and that defenders without access to state-of-the-art models are at a structural disadvantage. We also talk about why bug bounty programs are collapsing under AI-generated noise — something I experienced firsthand running Killswitch's program earlier this year.
In the second half we get practical. Michael walks through what a real penetration test costs, when Claude Code is actually useful for solo developers, and the common Elixir-specific gotchas: binary term deserialization, server-side request forgery, dynamic atom creation, and the importance of staying inside Ecto's default query syntax. We also touch on Erik Stenman's BEAM Book, the difference between Paraxial and Sobelow, and what SOC 2 compliance does and does not cover.
Resources Mentioned:
- Securing Hex, the Backbone of the Elixir Ecosystem (Paraxial blog): https://paraxial.io/blog/hex-pentest
- Hex Package Manager security audit report: https://hex.pm/reports/2026/paraxial.pdf
- Erlang Ecosystem Foundation CNA: https://cna.erlef.org/
- Behind the Scenes Hardening Firefox with Claude (Mozilla Hacks): https://hacks.mozilla.org/2026/05/behind-the-scenes-hardening-firefox/
- Project Glasswing (Anthropic): https://www.anthropic.com/project/glasswing
- The First CVE Wave (VulnCheck): https://www.vulncheck.com/blog/ai-assisted-vulnerability-discovery
- Third major Linux kernel flaw in two weeks found by AI (ZDNet): https://www.zdnet.com/article/third-major-linux-kernel-flaw-in-two-weeks-found-by-ai/
- What the CVE? — Peter Ullrich: https://peterullrich.com/what-the-cve
- Nicholas Carlini, "Black Hat LLMs" (unprompted 2026): https://www.youtube.com/watch?v=1sd26pWhfmg
Connect with Michael:
- Website: https://paraxial.io
- X/Twitter: https://x.com/paraxialio
- LinkedIn: https://www.linkedin.com/in/michaellubas/
- GitHub: https://github.com/paraxialio
Sponsors:
- BEAMOps: https://beamops.co.uk
- Paraxial.io: https://paraxial.io
- Jido — Elixir AI Collective Discord: https://agentjido.xyz/discord
- Support Elixir Mentor: https://elixirmentor.com

In this episode of the Elixir Mentor Podcast, I chat with Vasilis Spilka, Head of Software Development at Teacherspace, about building agentic software as a solo developer, the pairing of Ash and LLMs, and what it takes to ship a startup side project alongside a day job.
Vasilis shares his path from Ruby on Rails in 2014 to nearly a decade of Elixir work across fintech, supply chain, and ad tech. We talk through Teacherspace's recent acquisition, the challenges of integrating with legacy Danish education contractors, and the three pivots it took to land on a working product.
We spend a good chunk of the episode on Ash: why its unique DSL and introspection make it unusually strong with LLMs, how Spark lets you build your own DSLs, and why usage rules plus Igniter are a game-changer for library authors. Vasilis walks through his Claude Code workflow, the sculpting approach he uses for prototypes, and where he still won't let the LLM near — system design and API keys.
The conversation also covers Communities, his local-first social platform; the paperclip-style autonomous company idea he's exploring with ash_typescript; whether LLMs actually understand anything; and the unglamorous reality of getting a consumer product off the ground through networking and volunteering. We close with practical tips on prompt phrasing and skill-file tweaks that meaningfully change output quality.
Resources Mentioned:
- Ash Framework: https://ash-hq.org
- Tidewave: https://tidewave.ai
- Igniter: https://hexdocs.pm/igniter
- ash_typescript: https://github.com/ash-project/ash_typescript

Connect with Vasilis:
- X/Twitter: https://x.com/vasspilka
- GitHub: https://github.com/vasspilka
Sponsors:
- BEAMOps: https://beamops.co.uk
- Paraxial.io: https://paraxial.io
- Jido (Elixir AI Collective Discord): https://agentjido.xyz/discord
SUPPORT ELIXIR MENTOR
- Elixir Mentor: https://elixirmentor.com

In this episode of the Elixir Mentor Podcast, I sit down with Luca Corti, CTO at Sibill, a Milano-based fintech startup building cash flow management software for Italian small and medium businesses. Luca walks through his path from the early days of the internet at a small ISP in Milano to discovering functional programming at a major Italian telco—and why Elixir clicked for him immediately after years of fighting mutable state in OOP.
Luca shares how he joined Sibill with an existing Python and TypeScript MVP, made the case for Elixir as the stack to rebuild on, and navigated integration with open banking APIs and Italy's national electronic invoicing system (SDI). We cover bank sync scheduling with Broadway and message queues, scaling a venture-backed engineering team to 40, and how fintech requirements around data privacy shape day-to-day engineering decisions.
The conversation goes deep on the BEAM's real superpower—fault tolerance and resilience over raw concurrency—and Luca's hands-on approach to learning by building: an HTTP/2 server in Elixir a decade ago, and more recently using AI to help implement an HTTP/3 library. We also discuss hiring into an Elixir codebase, the challenges of selling SaaS to Italian SMBs accustomed to on-premises software, and a grounded take on AI tooling—useful, with clear limits, and nowhere close to replacing experienced engineers.
Resources Mentioned:
- Sibill: https://sibill.com
- ankh (HTTP/2 library): https://github.com/lucacorti/ankh
- lapin (AMQP client): https://github.com/lucacorti/lapin
Connect with Luca:
- X/Twitter: https://x.com/lucacorti
- LinkedIn: https://www.linkedin.com/in/lucacorti
- GitHub: https://github.com/lucacorti
Sponsors:
- Paraxial.io: https://paraxial.io
- Jido (Elixir AI Collective Discord): https://agentjido.xyz/discord
SUPPORT ELIXIR MENTOR
- Elixir Mentor: https://elixirmentor.com