<p>Peter Ullrich returns to talk about a CVE hunt across the most-downloaded Hex packages, run with Claude Code on Opus 4.7. After ElixirConf EU pulled him into AI security, he started pointing Opus at popular libraries day and night, and within half an hour of his first serious attempt he found the Decimal vulnerability, where raising 10 to a huge power can blow up an application's memory.</p><p>We get into what separates a real CVE from noise, how CVSS scoring works, and why reachability matters so much, since a flaw in Phoenix's default configuration is far more serious than a crash in a function nobody can call. Peter also walks through the process he runs with the EEF: verifying each issue, getting a second pair of eyes, coordinating a fix, and getting a number issued through a CNA, all while avoiding slop reports to maintainers. There's also a candid stretch on regulation and breach reporting.</p><p>From there it widens out, including how Opus compares to Mythos, why Peter keeps coming back to Claude, his first impressions of Opus 4.8, and the economics, with a simple scan costing about $10 in API tokens. He also shares his Session Watcher plugin, an update on Killswitch and its browser-side encryption, thoughts on AEO, and how he uses dev containers to sandbox coding agents.</p><p>Resources Mentioned:<br />- The blog post that started this:<a href="https://peterullrich.com/what-the-cve?utm_source=elixir-mentor" rel="ugc noopener noreferrer" target="_blank">https://peterullrich.com/what-the-cve</a><br />- Peter's prompts:<a href="https://gist.github.com/PJUllrich/c8b3ced91598eeea6e624f5f6bdf7fbf?utm_source=elixir-mentor" rel="ugc noopener noreferrer" target="_blank">gist</a><br />- Scrutineer:<a href="https://github.com/alpha-omega-security/scrutineer?utm_source=elixir-mentor" rel="ugc noopener noreferrer" target="_blank">github.com/alpha-omega-security/scrutineer</a><br />- Decimal advisory:<a href="https://github.com/ericmj/decimal/security/advisories/GHSA-rhv4-8758-jx7v?utm_source=elixir-mentor" rel="ugc noopener noreferrer" target="_blank">GHSA-rhv4-8758-jx7v</a><br />- EEF CNA published CVEs:<a href="https://cna.erlef.org/cves/?utm_source=elixir-mentor" rel="ugc noopener noreferrer" target="_blank">cna.erlef.org/cves</a><br />- EEF CNA security policy:<a href="https://cna.erlef.org/security-policy?utm_source=elixir-mentor" rel="ugc noopener noreferrer" target="_blank">cna.erlef.org/security-policy</a><br />- Responsible disclosure guidelines:<a href="https://security.erlef.org/security_vulnerability_disclosure/?utm_source=elixir-mentor" rel="ugc noopener noreferrer" target="_blank">security.erlef.org</a><br />- Anthropic article (the basis):<a href="https://red.anthropic.com/2026/property-based-testing/?utm_source=elixir-mentor" rel="ugc noopener noreferrer" target="_blank">red.anthropic.com</a></p><p>Connect with Peter:<br />- Website:<a href="https://peterullrich.com/?utm_source=elixir-mentor" rel="ugc noopener noreferrer" target="_blank">peterullrich.com</a><br />- GitHub:<a href="https://github.com/pjullrich?utm_source=elixir-mentor" rel="ugc noopener noreferrer" target="_blank">github.com/pjullrich</a><br />- LinkedIn:<a href="https://linkedin.com/in/pjullrich?utm_source=elixir-mentor" rel="ugc noopener noreferrer" target="_blank">linkedin.com/in/pjullrich</a><br />- Bluesky:<a href="https://bsky.app/profile/peterullrich.com?utm_source=elixir-mentor" rel="ugc noopener noreferrer" target="_blank">@peterullrich.com</a></p><p>Thanks to our sponsors:<br />- BEAMOps:<a href="https://beamops.co.uk?utm_source=elixir-mentor" rel="ugc noopener noreferrer" target="_blank">beamops.co.uk</a><br />- Paraxial.io:<a href="https://paraxial.io?utm_source=elixir-mentor" rel="ugc noopener noreferrer" target="_blank">paraxial.io</a></p><p><strong>SUPPORT ELIXIR MENTOR</strong><br />- Elixir Mentor:<a href="https://elixirmentor.com/?utm_source=elixir-mentor" rel="ugc noopener noreferrer" target="_blank">elixirmentor.com</a></p>