Security Documentation

May 10, 2026 ยท View on GitHub

This documentation describes the security model, practices, and controls for the Hex package ecosystem.

Overview

Hex.pm is a package registry for the Erlang and Elixir ecosystem. It enables publishing, discovery, and consumption of packages used in production systems. This documentation covers:

  • What we protect and what can go wrong (threat model)
  • How we build and release software securely (SDLC)
  • How we operate and respond to incidents (operations)
  • How we ensure package integrity (supply chain)

Documentation Structure

Threat Model

Analysis of assets, actors, threats, and mitigations.

Secure Development Lifecycle

How we build and maintain secure software, organized into three pillars.

Operations

How we operate and respond to security events.

Supply Chain Security

How we ensure package integrity from publish to install.