HN

Comments (202)

• Menu

  simonw
  Drew Breunig published a very relevant piece yesterday that came to the opposite conclusion: https://www.dbreunig.com/2026/04/14/cybersecurity-is-proof-o...Since security exploits can now be found by spending tokens, open source is MORE valuable because open source libraries can share that auditing budget while closed source software has to find all the exploits themselves in private.> If Mythos continues to find exploits so long as you keep throwing money at it, security is reduced to a brutally simple equation: to harden a system you need to spend more tokens discovering exploits than attackers will spend exploiting them.
• Menu

  ryanleesipes
  Head of Thunderbird project here.Our scheduling tool, Thunderbird Appointment, will always be open source.Repo here: https:// github.com/thunderbird/appointmentCome talk to us and build with us. We'll help you replace Cal.com
• Menu

  ButlerianJihad
  This seems kind of crazy. If LLMs are so stunningly good at finding vulnerabilities in code, then shouldn't the solution be to run an LLM against your code after you commit, and before you release it? Then you basically have pentesting harnesses all to yourself before going public. If an LLM can't find any flaws, then you are good to release that code.A few years ago, I invoked Linus's Law in a classroom, and I was roundly debunked. Isn't it a shame that it's basically been fulfilled now with LLMs?https://en.wikipedia.org/wiki/Linus%27s_law
• Menu

  gouthamve
  This is a weird knee-jerk reaction. I feel like this is more a business decision than a security decision.I feel like with AI, self-hosting software reliably is becoming easier so the incentives to pay for a hosted service of an OSS project are going down.
• Menu

  diebillionaires
  Lame. "We don't want AI pointed at our code so we're going closed source". That's hilarious and a cover up.
• Tepix
  Hey cal.com, as a potential customer, you have just lost me. Open source is set to profit from improved transparency in the SSDLC. With closed source, you will have to trust the software vendor instead.I'm not sure I agree with Drew Breunig, however. The number of bugs isn't infinite. Once we have models that are capable enough and scan the source code with them at regular intervals, the likelihood of remaining bugs that can be exploited goes way down.
• whatiathisnon
  This is completely stupid and ridiculous. Why not just use AI to patch your software? Its just as effortful as someone finding and exploiting a vuln on your system.What's worse is your choosing to keep it buggy behind closed doors so no one can see the bugs. That's 100% the wrong approach.
• sgbeal
  > Today, we are making the very difficult decision to move to closed source, and there’s one simple reason: security.(Enter name of large software vendor here) has long-since proven that security through obscurity is not a real thing.
• Menu

  theahura
  I'm sorta suspicious. I don’t really think this is why they are moving to closed source. It’s true that there is more security risk, but that actually justifies being open source, because open source tooling can spend more tokens hardening itself against security vulns than closed source tooling (at least, that’s the theory). My strong hunch is they are moving to closed source because it is now trivial to copy a product with AI clean rooms. Which, tbf, is a totally valid reason to move closed source. But I'd want to see more adoption of something like the Ship of Theseus license (https://github.com/tilework-tech/nori-skillsets/pull/465/cha...) before giving up on open source entirely
• opem
  > When we started Cal.com, we believed deeply in open source.No you certainly didn't, otherwise you shouldn't have come up with such a meaningless excuse!
• Menu

  doytch
  I get the mentality but it feels very much like security through obscurity. When did we decide that that was the correct model?
• Menu

  tudorg
  It's funny that this news showed up just as we (Xata) have gone the other direction, citing also changes due to AI: https://xata.io/blog/open-source-postgres-branching-copy-on-...We did consider arguments in both directions (e.g. easier to recreate the code, agents can understand better how it works), but I honestly think the security argument goes for open source: the OSS projects will get more scrutiny faster, which means bugs won't linger around.Time will tell, I am in the open source camp, though.
• abound
  This certainly makes me feel better about the project I started a few months ago to replace my Cal.com instance with a smaller, simpler self-hosted toolhttps://git.sr.ht/~bsprague/schedyou
• kartika36363
  thats like the funniest excuse to cash out on people's open source contributions
• iancarroll
  I know plenty of security researchers who exclusively use Claude Code and other tools for blackbox testing against sites they don’t have the source code for. It seems like shutting down the entire product is the only safe decision here!
• Menu

  _pdp_
  The real threat is not security but bad actors copying your code and calling it theirs.IMHO, open source will continue to exist and it will be successful but the existence of AI is deterrent for most. Lets be honest, in recent times the only reason startups went open source first was to build a community and build organic growth engine powered by early adaptors. Now this is no longer viable and in fact it is simply helping competitors. So why do it then?The only open source that will remain will be the real open source projects that are true to the ethos.
• usernametaken29
  Just a random thought. Up until yesterday this project was open source. The code base won’t be rewritten tomorrow. More likely is that conserved parts of the source code, something like 90% will just remain the same. Particularly the core database schema around users and security are likely to stay the same. Since the old code is already out there what’s stopping me from exploiting the software as it was? This looks an awful lot like marketing to me, and not like real security concerns.
• com2kid
  Proposition 1: The majority of a code in a modern app is from shared librariesProposition 2: The most popular shared libraries are going to be quickly torn apart by LLM security tools to find vulnerabilitiesProposition 3: After a brief period of mass vulnerability discovery, the overall quality of shared libraries will dramatically increased.Conclusion: After the initial wave of vulnerabilities has passed, the main threat to open source code bases is in their own comparatively small amount of code.
• Menu

  amazingamazing
  this is a big nothing. they relicensed the previous cal.com as cal.diy (MIT by the way, instead AGPL or something else) and effectively forked their own product into the "new" cal.com. anyone who cares would just use cal.diy as they were prior to this announcement with cal.com
• andsoitis
  > Today, we are making the very difficult decision to move to closed source, and there’s one simple reason: security.It seems like an easy decision, not a difficult one.
• smetannik
  This sounds more like a good excuse to go closed source. I feel that real reason might be revenue-related.
• dang
  Related ongoing threads:Open Source Isn't Dead - https://news.ycombinator.com/item?id=47780712Cybersecurity looks like proof of work now - https://news.ycombinator.com/item?id=47769089
• notnullorvoid
  Security through obscurity can be a good security layer, but you need to maintain obscurity. That's a lot harder than Cal.com seems to realize.For example using something like Next.js means a very large chunk of important obscurity is thrown out the window. The same for any publicly available server/client isomorphic framework.
• woodruffw
  Today, it's easy to (publicly) evaluate the ability of LLMs to find bugs in open source codebases, because you don't need to ask permission. But this doesn't actually tell us the negative statement, which is that an LLM won't just as effectively find bugs in closed codebases, including through black-box testing, reverse engineering, etc.If the null hypothesis is that LLMs are good at finding bugs, full stop, then it's unclear to me that going closed actually does much to stop your adversary (particularly as a service operator).
• mellosouls
  The founder proclaimed "Open Source is Dead" in the original tweet.I thought this was grandiose and projecting their own weakness onto others, an extremely unappealing marketing position that may get clicks in the short term but will undermine trust beyond that.
• thegdsks
  This is why CC0 and MIT matter for projects people depend on. Once you build on something with a restrictive license this is always a risk.
• Menu

  a-fadil
  Open source means living under constant scrutiny. AI just made that scrutiny cheaper and faster. I feel this every day maintaining an open source project. The temptation to close the source is real but let’s not forget that open source is what raised the bar for software quality in the first place.
• egorfine
  What's preventing cal.com to run the AI researcher over their own codebase and find their vulnerabilities before anyone else and patch them all by tomorrow morning?That's right. Nothing.
• ernsheong
  Well let’s just finish and CLOSE them off. Delete all your subscriptions, boys.
• sreekanth850
  This has one of the most shittiest codebase out of all. Not surprised by this move.
• alance
  I only found cal.com in the first place because I searched for an open source calendly alternative.
• codegeek
  I am beyond convinced at this point that you either run an Open Source Project with a small revenue company (single digit millions) or run a software company that does more than 10M ARR at the least and be closed source. I know there are exceptions but most open source Software companies are providing code with heavy restrictions or teaser features and gate keep everything in their "ee/enterprise" version etc.
• femto
  Will it make any difference to security? LLMs are excellent pattern matchers. The source is a sequence of tokens, the binary is a sequence of tokens. Whats the difference to an LLM?
• dhruv3006
  I guess this is an AI excuse again.
• Menu

  axeldunkel
  Sounds like "security by obscurity" to me - if you think AI is so good at finding security issues - it will find them in compiled code as well. Why not using it in your favor and let it search for bugs you'd otherwise not find?
• huslage
  Cal.com is failing. This is a rugpull with an AI excuse.
• bearsyankees
  Think this is a bad, bad move...https://news.ycombinator.com/item?id=47780712
• evanjrowley
  Juxtapose this with the fact that many HNers will decry strong copyleft FOSS licenses as not being truly "open source" - the reality is that closed source software is still full of open-source non-copyleft dependencies. Unless you're rolling your own encryption and TCP stack, being closed source will not be the easy solution that many imagine it to be.
• wqtz
  In my advisory job founders always raise the question about open sourcing within the first hour of meeting me. They think that open sourcing product means transparency and developer trust which helps with early adoption. Every single founder I talked to brings up open source as a market penetration method to drive the initial adoption.I always say to just stop with the virtue signaling led sales technique.I despise the "we are like the market leader of our niche but open source" angle. Developer as a buyer and as a community these days in my opinion do not care about open source anymore. There is no long term value to that. The moment a product gets traction the open source elements is a constant mild headache as open source product means that they have no intellectual copyright on the core aspect of the product and it is hard to raise money or sell the company. And whenever a product gets traction they will take any excuse to make it close source again. With an open source product they are just coasting on brand. Regardless of what your personal opinion is, this has been largely true for most for-profit business.Open source is largely is nothing more then a branding concept for a company who is backed by investors.
• anon
  undefined
• adamtaylor_13
  Could you not simply point AI at your open source codebase and use it to red-team your own codebase?This post's argument seems circular to me.
• constantlm
  Security through obscurity isn't a great strategy.
• anon
  undefined
• sadeshmukh
  Security by obscurity has never been real.
• asdev
  Who even uses their open source product?
• lrvick
  There are endless closed calendar options. Cal.com being FOSS and not making us feel locked in forever was the only reason we chose it over wasting limited cycles self hosting this at Distrust and Caution.AI can clone something like cal.com with or without source code access, so in trying to pointlessly defend against AI they are just ruining the trust they built with their customers, which is the one thing AI can never create out of thin air.We exclusively run our companies with FOSS software we can audit or change at any time because we work in security research so every tool we choose is -our- responsibility.They ruined their one and only market differentiator.We will now be swapping to self hosting ASAP and canceling our subscriptions.Really disappointing.Meanwhile at Distrust and Caution we will continue to open source every line of code we write, because our goal is building trust with our customers and users.
• poisonborz
  AI sure is useful as a scapegoat for any negative PR inducing moves.
• anon
  undefined
• nativeit
  I guess why fix vulnerabilities when you can just obscure them?
• theturtletalks
  Enshittification has come for VC backed open-source. AI has deemed commercial open source obsolete especially when users can point Calude Code to calcom on GitHub and ask it to make them scheduling features directly into their product. That’s what spooked Cal.
• analogpixel
  TIL I learned about yet another calendar application I don't need. Someone should setup their openclaw to just write a new todo/calendar app each week; they'll be billionaires by the end of the year.
• xnx
  Saaspocalypse is coming for cal.com
• jemiluv8
  I have fond memories of this project. Contributing to it really helped me ramp up my dev skills and was effectively my introduction to monorepo’s in JavaScript. It was the kind of codebase I couldn’t get my hands on while working in my part of the world. Good luck going closed source.
• aizk
  Sounds backwards to me.
• Menu

  fontain
  Monumentally dumb given their codebase is already public and the type of security issues that exist in software are usually found in the oldest code. But also, and more importantly, cal.com launched coss.com last year, open source is (ostensibly) their DNA. How could they do a complete 180 on something so fundamental and think that wouldn’t worry customers, much more so than their codebase being public? I cannot even begin to understand this. Surely there must be more to the story?
• post-it
  - You know, Lindsay, as a software engineering consultant, I have advised a number of companies to explore closing their source, where the codebase remains largely unchanged but secure through obscurity.- Well, did it work for those companies?- No, it never does. I mean, these companies somehow delude themselves into thinking it might, but... but it might work for us.
• barelysapient
  I hate how this sounds...but this reads to me "we lack the confidence in our code security so we're closing the source code to conceal vulnerabilities which may exist."
• neuroelectron
  Chatgpt, write me a reason to make more money as a tech ceo.Charge for api access, take a cut of the extensions economy.How do i do that, I'm open source?
• CamperBob2
  Today, AI can be pointed at an open source codebase and systematically scan it for vulnerabilities.AI also goes a long way towards erasing the distinction between source code and executable code. The disassembly skill of a good LLM is nothing short of jaw-dropping.So going closed-source may be safer for SaaS, but closing the source won't save a codebase from being exploited if the binaries are still accessible to the public. In that sense, instead of dooming SaaS as many people have suggested AI will do, it may instead be a boon.
• Menu

  creatonez
  This is some truly exceptionally clownish attention seeking nonsense. The rationale here is complete nonsense, they just wanted to put "because AI" after announcing their completely self-serving decision. If AI cyber offense is such a concern, recognize your role as a company handling truckloads of highly sensitive information and actually fix your security culture instead of just obscuring it.
• pcblues
  Security by obscurity. Good luck. So novice.
• hmokiguess
  Risk tolerance and emotional capacity differs from one individual to another, while I may disagree with the decision I am able to respect the decision.That said, I think it’s important to try and recognize where things are from multiple angles rather than bucket things from your filter bubble alone, fear sells and we need to stop buying into it.
• behringer
  Security via obscurity and you get to blame AI too! What a win for their marketing team.
• dec0dedab0de
  This seems dishonest, like someone is forcing the decision for other reasons, and they're using security and AI as a distraction.
• righthand
  Good for them. I’m sure they saw the writing on the wall when Monday.com was cloned. This is the right move.
• righthand
  This is the future now that AI is here. Publishing is going to be dead, look at the tea leaves, how many engineers are claiming they don’t use package managers anymore and just generate dependencies? 5 years and no one will be making an argument for open source or blogging.
• tokai
  Security through obscurity has been known to be a faulty approach for nearly 200 years. Yet here we are.
• Menu

  popalchemist
  Seems like it's just being used as a convenient pretense to back out of open-source.
• quotemstr
  LOL. Every generation has to learn anew that security through obscurity is no security at all.
• Menu

  zb3
  This has to be the most bullshit reason I've seen.. if AI can be pointed and find vulnerabilities then do it yourself before publishing the code.
• Menu

  rvz
  You know what?Great move.Open-source supporters don't have a sustainable answer to the fact that AI models can easily find N-day vulnerabilities extremely quickly and swamp maintainers with issues and bug-reports left hanging for days.Unfortunately, this is where it is going and the open-source software supporters did not for-see the downsides of open source maintenance in the age of AI especially for businesses with "open-core" products.Might as well close-source them to slow the attackers (with LLMs) down. Even SQLite has closed-sourced their tests which is another good idea.