Peter Ullrich returns to talk about a CVE hunt across the most-downloaded Hex packages, run with Claude Code on Opus 4.7. After ElixirConf EU pulled him into AI security, he started pointing Opus at popular libraries day and night, and within half an hour of his first serious attempt he found the Decimal vulnerability, where raising 10 to a huge power can blow up an application's memory.

We get into what separates a real CVE from noise, how CVSS scoring works, and why reachability matters so much, since a flaw in Phoenix's default configuration is far more serious than a crash in a function nobody can call. Peter also walks through the process he runs with the EEF: verifying each issue, getting a second pair of eyes, coordinating a fix, and getting a number issued through a CNA, all while avoiding slop reports to maintainers. There's also a candid stretch on regulation and breach reporting.

From there it widens out, including how Opus compares to Mythos, why Peter keeps coming back to Claude, his first impressions of Opus 4.8, and the economics, with a simple scan costing about $10 in API tokens. He also shares his Session Watcher plugin, an update on Killswitch and its browser-side encryption, thoughts on AEO, and how he uses dev containers to sandbox coding agents.

Resources Mentioned:
- The blog post that started this:https://peterullrich.com/what-the-cve
- Peter's prompts:gist
- Scrutineer:github.com/alpha-omega-security/scrutineer
- Decimal advisory:GHSA-rhv4-8758-jx7v
- EEF CNA published CVEs:cna.erlef.org/cves
- EEF CNA security policy:cna.erlef.org/security-policy
- Responsible disclosure guidelines:security.erlef.org
- Anthropic article (the basis):red.anthropic.com

Connect with Peter:
- Website:peterullrich.com
- GitHub:github.com/pjullrich
- LinkedIn:linkedin.com/in/pjullrich
- Bluesky:@peterullrich.com

Thanks to our sponsors:
- BEAMOps:beamops.co.uk
- Paraxial.io:paraxial.io

SUPPORT ELIXIR MENTOR
- Elixir Mentor:elixirmentor.com