Objectives

  1. Elevate Ecosystem-Wide Security

    Establish a strong, foundational security posture that benefits every user of BEAM languages and tools, regardless of their organization’s size.

  2. Streamline Compliance Readiness

    Ensure that projects and maintainers can easily meet or exceed emerging global regulations (e.g., EU CRA, NIST SSDF) through built-in security features and best practices.

  3. Foster Trust and Transparency

    Implement mechanisms like event transparency logs and verifiable package provenance to create an auditable trail that builds user confidence in the ecosystem.

  4. Democratize Advanced Security

    Provide user-friendly libraries and tools (e.g., cosign, SLSA, SCITT) so that smaller teams without dedicated security resources can adopt best-in-class protections.

  5. Enable Secure Publishing Workflows

    Protect package maintainers and end-users by deploying robust authentication (passkeys, MFA) and replacing exposed API keys with safer, tokenless publication methods.

  6. Empower Continuous Vulnerability Management

    Integrate automated vulnerability scanning and reporting into build and install processes, making security awareness accessible to every developer.

  7. Support Sustainable Maintenance

    Offer stipends, guidance, and community collaboration so maintainers and contributors have the resources needed to keep security features robust and up to date.

  8. Enhance Embedded & Enterprise Integration

    Develop toolchains (e.g., Yocto integration, BOM generation) that ease the adoption of BEAM-based applications in embedded and heavily regulated environments.

  9. Cultivate Long-Term Funding & Governance

    Transition from single large grants to a diversified funding model—attracting industry sponsorships and broad community support to ensure financial stability.

  10. Promote Ecosystem Growth & Adoption

    Demonstrate how open source security capabilities drive broader adoption of BEAM technologies, thereby strengthening the community through shared innovation and best practices.

Roadmap

Name Area Status Sponsors
Erlang OpenChain Compliance Compliance Done
  • Ericsson
Elixir OpenChain Compliance Compliance Done
  • Herrmann Ultraschall
Gleam OpenChain Compliance Compliance In Progress (10%)
  • Herrmann Ultraschall
Erlang Ecosystem Foundation CNA Compliance In Progress (75%)
  • Ericsson
  • Herrmann Ultraschall
Core Tooling Compliance Compliance In Progress (20%)
  • Ericsson
  • Herrmann Ultraschall
Core Tooling Governance Audit Governance Planning
  • Herrmann Ultraschall
Supply Chain Security Audit Supply Chain Planning

More Funding Required

Hex Vulnerability Handling Supply Chain Planning

More Funding Required

Hex Account Security Supply Chain Planning

More Funding Required

Hex API Credential Security Supply Chain Planning

More Funding Required

Hex Build Provenance Supply Chain Planning

More Funding Required

Hex Asset Side-Loading Supply Chain Planning

More Funding Required

SBoM Supply Chain Planning

More Funding Required

Funding

Achieving the objectives and milestones on our roadmap requires external funding. We welcome contributions in various forms. If you’d like to support this initiative, please contact us at sponsorship@erlef.org. Sponsorship can be provided through:

  1. Financial Contributions
    • Directly fund key activities such as security audits, engineering work, and stipends for maintainers.
    • Support can be one-time or recurring, depending on your preference.
  2. In-Kind Contributions (Manpower)
    • Offer developer time, security expertise, or other specialized skill sets to help implement features, review code, or audit progress.
    • Enables direct collaboration on critical tasks while also shaping the future of the ecosystem.

Sponsors

Ericsson Herrmann Ultraschall

Implementation

The initiative is designed to accommodate multiple pathways for contributing new security features and improvements. Regardless of the approach, all work is guided and reviewed by the EEF Security Working Group and the EEF CISO to ensure consistency, quality, and adherence to our strategic roadmap. Here are the primary ways implementation can happen:

  1. Internal EEF Resources

    The EEF can allocate its own staff and experts (including the CISO) to implement features directly.

  2. Stipends for External Contributors

    The EEF can fund stipends or grants for developers, maintainers, or other specialists in the community.

  3. Sponsor-Provided Implementation

    A sponsor may opt to contribute manpower directly, having their own team or contractors develop and integrate new capabilities.