We’re excited to share that the Erlang Ecosystem Foundation (EEF) has officially joined the CVE Program as a CVE Numbering Authority (CNA)!
This is a major milestone in our ongoing work to improve security and transparency in the BEAM ecosystem—and it’s part of the Ægis Supply Chain Security & Compliance Initiative.
As a CNA, the EEF can now assign and publish CVE IDs for vulnerabilities in:
- All active packages hosted on Hex.pm, unless they’re already covered by another CNA
- Projects hosted under GitHub organizations like:
@elixir-lang,@erlang,@erlef,@erlef-cna,@gleam-lang, and@hexpm
Why this matters:
- Project Maintainers can now request CVEs directly from us—with support along the way.
- Security Researchers have a reliable, community-run path for responsible disclosure.
- Tool Developers get consistent, ecosystem-aware CVE data to build better tooling.
- Users will benefit from improved transparency and package metadata over time.
This community-run CNA helps lay the foundation for a stronger, more secure open source ecosystem—and reflects our long-term commitment to supply chain security through Ægis.
Learn more:
- Blog post: EEF becomes a CNA for the BEAM ecosystem
- CNA homepage: https://cna.erlef.org
- Ægis Initiative: security.erlef.org/aegis
Thanks to everyone across the Elixir, Erlang/OTP, Gleam, and Hex communities who helped make this happen!
—
The Security Working Group
Erlang Ecosystem Foundation