Cal.com have announced they’re closing their codebase and will no longer be an open-source product. Their reasoning is that AI has made open source too dangerous for SaaS companies. Code gets scanned and exploited by AI at near-zero cost, and transparency is now becoming exposure.
thank you sam. i appreciate you addressing this head on like this.
i have been following the recent related ai news (as best i can keep up) and this question has certainly been in the back of my mind. keep up the great work. 
Lots of respect here, this was something I was concerned about in the back of my mind for a while now with Discourse. Thank you guys for being on the right side of this and continuing to not enshittify the core product. I can’t imagine we’ll get AI regulation for a while longer for many reasons but things are very grim right now.
I hope you all know how much everybody appreciates not self-hosting the product and still being begged to cough up money to unlock basic features (like many “open source” products do). 
Suddenly closing your source doesn’t magically fix all existing security issues in your code which have not been identified yet. But it sure will prevent the community from helping to fix it.
Besides that, it is also a dick move to everybody who helped grow your product. Why would I now, or ever do anything with/for cal.com after this action. Why would I do anything for their hobbyist “fork” cal.dyi . They just threw away all the trust they created.
Thanks for the blog article, it was an interesting reading Sam 
This has been all over the internet, but is the security threat (“our models are too dangerous”) the real or main reason for not releasing it?
Some people claim it leans more toward a PR stunt, though not completely erasing the potential strength of the models. One example: On Anthropic's Mythos Preview and Project Glasswing - Schneier on Security
I certainly don’t know anything about all those complex topics, but I’m cautious when I read articles that spread lightning fast on all news sites and online communities. I assume there are some caveats on what is claimed. That there’s probably some truth and some other information that needs clarification, or is overhyped.
I don’t have any doubt over the fact that models are incredibly fast to find and probably exploit vulnerabilities, and you even highlighted this with the Discourse code example.
About the article itself, just pointing out something I felt weird reading:
Closed source has always been a weaker defense for SaaS than people want to admit. A web application is not something you ship once and keep hidden. Large parts of it are delivered straight into the user’s browser on every request: JavaScript, API contracts, client-side flows, validation logic, and feature behavior. Attackers can inspect all of that already, and AI makes that inspection dramatically cheaper. Closing the repository may hide some server-side implementation detail, but it does not make the system invisible. What it mostly does is reduce how many defenders can inspect the full picture.
Then, later:
Closed source can buy some obscurity, but obscurity is brittle. Code gets leaked, binaries get reverse engineered, APIs get mapped, and attackers learn a lot just by interrogating the running system. The real defense is not keeping the code hidden forever. It is building software and operational practices that hold up when scrutiny arrives.
When I read the 2nd paragraph, I had the feeling I already read that.
I scrolled up, and I noticed that the two paragraphs are very, very similar. They both state the same things, but using different phrasing.
I understand the need to summarize, but in this case, I really had the feeling I had read basically the same things a few paragraphs earlier.
This was truly an inspiring read, Sam. Makes me proud to work at Discourse.
[frantically thinking of something to say that will make me sound less like a suck-up…]
Might even do some work now. 
Reading this really moved me. The line about choosing courage over hiding behind a locked door is so powerful. Thank you for standing by open source for 13 years, and for reminding us what it’s all about. These words will stick with me.
Great statement!
https://releases.discourse.org also works and looks amazing now @david, @derek and everyone who built it! 
Oh that’s tasty! And beautifully clear and very useful, great job!
If Open Source is dead, then why are they still using it. Why haven’t they moved from PostgreSQL to Oracle DB. Why haven’t team moved from Linux to MS Windows. etc.
Their whole application, middleware, even large parts of the infrastructure is build on Open Source.
This is a great announcement and topic.
I understand the risk of AI accelerating zero day exploits.
Not in any way underestimating the effort, I wonder if discourse would consider some sort of relative real time CI/CD pipelines for updates?
Maybe this already happens at meta and discourse managed sites, I’m specifically thinking about self hosted where a feature flag could enable updates as released, or on a delay as an automated process.
Or maybe it manifests as an automated security update feature that can be enabled independent of other updates.
Regardless, let me continue to offer my thanks and appreciation for the discourse software and the people behind it. Thank you!
There are good reasons why this isn’t a good idea here:
Exactly! And that means they inherit the vulnerabilities of that middleware, and those are disclosed publicly regardless of what they choose to hide.
This is all a big charade. Every undergrad knows that security by obscurity does not work.
Discourse shows that it is possible to stay open source, to build a sustainable SaaS business AND to keep pace in the vulnerability landscape rather than trying to hide from it.
So happy to see Discourse not only staying open source (which I never doubted), but also deciding to take a stand here. 
I don’t mind Cal’s decision, it’s theirs to make, but the whole spin-doctoring is extremely frustrating.
One thing AI code generation and exploit hunting has taught me is we’re still fighting the same bad but popular ideas that executives have held since the dawn of time. In this case the “security by obscurity” argument against open source.