Vulnerabilities

We encourage security researchers and members of the community to report vulnerabilities through the following contact methods:

  • Email: cna@erlef.org
  • GPG Key: For encrypted communications, please use our GPG key:
    • Public Key: GPG Public Key
    • Fingerprint: 38BD 201B 397E 28F1 F3D9 3EC7 6E03 1A81 1F26 6E21

Report via GitHub Private Vulnerability Reporting

We also support direct integration with GitHub Private Vulnerability Reporting.

If you’re using GitHub to report your vulnerability, you can invite our CNA Points of Contact (PoCs) directly into your private advisory instead of reaching out via email.

Steps to collaborate with us on a GitHub Advisory

  1. CVE Identifier
    • When initially creating the advisory, choose:
      “Request CVE ID later”
  2. Collaborators
    • Add the following GitHub users as collaborators to the private advisory:
      • @IngelaAndin – Ingela Andin (Affiliation: OTP Core Contributor)
      • @maennchen – Jonatan Männchen (Affiliation: CISO Erlang Ecosystem Foundation)
      • @voltone – Bram Verburg (Affiliation: Erlang Ecosystem Foundation Security WG Chair)
  3. Assigning a CVE ID
    • Once the Erlang Ecosystem Foundation CNA has reviewed the report and decided to issue a CVE ID, edit the advisory:
      • Set CVE Identifier to “I have an existing CVE ID”
      • Enter the CVE number we provide you into the Existing CVE field

This approach provides a secure and streamlined workflow for submitting and triaging vulnerabilities within the GitHub ecosystem.

Questions & Suggestions

For general questions, please use GitHub Discussions.

⚠️ Note: GitHub Discussions are public. Never report or include vulnerability details. ⚠️