AI Found 5 CVEs in One Afternoon — The BEAM Security Wake-Up Call | Peter Ullrich & Jonathan Machen

AI Found 5 CVEs in One Afternoon — The BEAM Security Wake-Up Call | Peter Ullrich & Jonathan Machen

The BEAM ecosystem spent decades flying under the radar - too niche to attract serious attackers. That era is over. In this episode, we sit down with Peter Ullrich, the developer who ran a $10 experiment at ElixirConf EU in Málaga and discovered a vulnerability that could crash the BEAM with a 13-character string - with zero prior security experience. Then we hear from Jonathan Machen, CISO of the Erlang Ecosystem Foundation, whose job is to catch and coordinate everything Peter finds. We cover: * How Peter built a simple bash script that scanned the most-downloaded Hex packages - and what he found * Why LLMs have changed the cost and skill floor for vulnerability research forever * The CVE disclosure process: what happens from the moment a bug is found to the moment it's published * How the EEF's CNA went from 9 CVEs in a year to more in a single week * What library maintainers should do right now (spoiler: it's three clicks on GitHub) * The AGES initiative, supply chain security, and the gap between what's been built and what the moment demands * Why paying a vendor like Trivy isn't enough - and what actually needs to happen If you run Phoenix in production, this episode is required listening. Resources mentioned: * Peter's blog post and prompts: github.com/pultrich (linked in post) * Linux Foundation's Scrutineer project * Report vulnerabilities: cna@erlef.org * Support the Erlang Ecosystem Foundation: erlef.org

Inside the BEAM: Björn Gustavsson on Maps, Records, and Runtime Design

For the first time in over a decade, the Erlang runtime is gaining a new native data type — and on this episode of BEAM There, Done That, hosts Francesco Cesarini and Allan Wyma sit down with Björn Gustavsson, known by many as the “B” in BEAM. Björn takes listeners deep into the history of records, maps, tag bits, and the architectural trade-offs that shaped the Erlang runtime from the 1990s to today. The discussion explores why records were originally implemented as a hack, why maps never fully replaced them, and what finally made native records possible after nearly 30 years. Along the way, the episode becomes a rare tour through BEAM internals, compiler design, runtime tagging, and the practical realities of evolving a production VM used at massive scale. If you care about language design, runtime systems, or the history and future of Erlang/OTP, this is one of the deepest technical conversations the podcast has released.

Inside Phoenix: A Plug, a Macro, and What You Need to Know To Build Your Own Framework

Three and a half years, one book, and a clearer answer to what Phoenix is actually doing under the hood. Phoenix makes building web apps in Elixir feel effortless, but how much of that is genuine elegance and how much is metaprogramming hiding the complexity? Adi Iyengar spent three and a half years writing Build Your Own Web Framework in Elixir to find out, and in this episode he sits down with Francesco and Allen to share what he learned by rebuilding Phoenix from the ground up. We dig into Plug as the real heart of the framework, when metaprogramming is the right tool and when it quietly becomes a liability, and why understanding the layers underneath Phoenix is what separates a productive developer from a senior one. Along the way Francesco brings out the BEAM web-server history most listeners have never heard — Yaws, Bluetail, Mochiweb, Inets — and the conversation lands on what coding agents get wrong about Phoenix in 2026.

Zero-Cost Meets Let-It-Crash: The Rust + Elixir Power Combo

In this episode of BEAM There, Done That, hosts explore what really happens when the high-level concurrency and fault-tolerance of Elixir meet the low-level performance and control of Rust. The conversation dives into interoperability patterns—NIFs, ports, and emerging tooling—and where each language shines when building real-world systems that need both resilience and raw speed. Joining the discussion are Florian Gilcher, Co-founder and Managing Director of Ferrous Systems and a key figure in Rust’s community, adoption, and safety-critical systems work, and Leandro Pereira, an Elixir developer behind high-performance, developer-focused tools like MDEx, Lumis, and BeaconCMS. Together, they unpack when to stay on the BEAM, when to reach for Rust, and how combining the two can unlock a powerful hybrid architecture without compromising safety or developer productivity.

Phoenix’s Next Evolution: Chris McCord Unveils the DurableServer

In this episode of BEAM There, Done That, hosts Francesco Cesarini and Allen Wyma sit down with Chris McCord, the creator of the Phoenix Framework, for a deep dive into the evolving world of Elixir, distributed systems, and durable processes on the BEAM. Fresh from ElixirConf EU, Chris shares the story behind his latest work on durable servers—a powerful abstraction that brings persistence, global process identity, and intelligent placement to familiar GenServer patterns. The conversation explores how these ideas emerged from real-world production challenges, including running geo-distributed applications across multiple regions with no single point of failure. Along the way, the trio unpack the current state of Phoenix and Phoenix LiveView, discuss why most new features are driven by production needs rather than theory, and debate hot topics like WebSockets vs. server-sent events, event-driven architectures vs. long-lived processes, and the true scalability limits of the BEAM. This episode is packed with practical insights for Elixir and Erlang developers building real systems: from supervision tree pitfalls and process design trade-offs to tracing, load balancing, and self-healing systems at scale. If you’ve ever wondered how to design applications that can survive crashes, move across nodes, and run globally with minimal complexity, this is a must-listen. Topics covered: Elixir, Erlang, Phoenix, Phoenix LiveView, distributed systems, durable objects, GenServer patterns, supervision trees, multi-region BEAM clusters, fault tolerance, and real-world production architecture.