Erlang Ecosystem Foundation CNA

Previous Page: « Core Tooling Governance Audit Next Page: Supply Chain Security Audit »

Initiative

« Back to Initiative

Area

Compliance

Status

In Progress (75%)

Sponsors

• Ericsson
• Herrmann Ultraschall

Funding

Funding Complete

Goal

Implement CVE Numbering Authority for Erlang, Elixir, Gleam, Hex.pm and fallback for all Hex.pm packages.

Impact

By establishing a dedicated CNA within the Erlang Ecosystem Foundation—covering Erlang, Elixir, Gleam, Hex.pm, and acting as a fallback for all Hex.pm packages — this milestone ensures a more streamlined, authoritative, and timely process for identifying and remediating security vulnerabilities. Formal CNA registration with MITRE, coupled with a dedicated website and a well-defined team of points of contact, fosters transparency and prompt disclosure across the open source community. Adhering to relevant guidelines such as the CNA Operational Rules and recommendations for open source CNA formations, this initiative significantly enhances the security posture of the ecosystem, ultimately building greater trust and resilience for developers and users alike.

Deliverables

• CNA Registration with MITRE
• CNA Website
• Working Team of Points of Contact

Relevant Standards

• Becoming a CNA as an Open Source Organization or Project
• CVE Numbering Authority (CNA) Operational Rules

Previous Page: « Core Tooling Governance Audit Next Page: Supply Chain Security Audit »