Discussion
tananaev: I have an open source project and started receiving a lot of security vulnerability reports in the last few months. A lot of them are extremely corner cases, but there were some legit ones. They're all fixed now. Closed source software won't receive any reports, but it will be exploited with AI. So I definitely agree with the message of this article.
CodesInChaos: > The reasoning provided by their CEO, Bailey Pumfleet, is that AI has automated vulnerability discovery at scale,That sounds like an excuse. The real reason is probably that it's hard to make a viable business out of developing open source.
funvill: This is just an excuse to close source their project while blaming AI. Spineless bullshit excuse instead of owning your choices.Shame
Yaa101: I agree, it is shortsighted (next quarter syndrome). First of all the AI does not need source to find vulnerabilities and further it breaks the unwritten contract to exchange source for eyeballs which creates better source. I guess the CEO wants less security and stopped evolution of it's code.
linuxhansl: So Cal.com favors security through obscurity.Open Source was always open to "many eyes" in theory exposing itself to zero-day vulnerabilities. But the "many eyes" go for the good and the bad actors.As far as I am concerned... Way to go Cal.com, and a good reminder to never use your services.
p_stuart82: separating codebase and leaving 'cal.diy' for hobbyists is pretty much the classic open-core path. the community phase is over and they need to protect their enterprise revenue.blaming AI scanners is just really convenient PR cover for a normal license change.
serial_dev: I'd think it's also much easier to spin up a (in some area) slightly better clone and eat into their revenue.
svnt: This is part of it for sure. It is also true that many open source business depended on it not being worth the trouble to figure out the hosting setup, ops etc, and the code. Typical open source businesses also make a practice of running a few features back on the public repo.Now I can take an open source repo and just add the missing features, fix the bugs, deploy in a few hours. The value of integration and bug-fixing when the code is available is now a single capable dev for a few hours, instead of an internal team. The calculus is completely different.
righthand: Open source is dead, AI-pundits are applying the wrong lessons. No one has to accept AI.
ahmedallam2: Agreed. Blaming AI here feels like cover
misiti3780: I have a large open source project and noticed the number of LLM generate PR is making it unmanageable. Every two weeks, I go in, kill all of them and when someone complains or asks why, I realize it was a real person and then I merge it.is anyone else seeing this / fixed this problem ?
Talderigi: feels like people are arguing the wrong axis tbhit’s not open vs closed anymore, it’s more like bug finding going a few devs poking around to basically infinite parallel scannersso now you don’t get a couple of thoughtful reports, you get a many edge cases and half-real junk. fixing capacity didn’t change thoughclosing the repo doesn’t really save you, it just switches from white-box to black-box… and that’s getting pretty damn good anywayreal problem is: vuln discovery scaled, patching didn’t. now everything is a backlog game
mikeryan: It’s also now ridiculously easy to simply cherry pick from open source without actually “using” it.“I need to do foo in my app. Libraries bar and baz do these bits well. Pick the best from each and let’s implement them here”I’d not be surprised if npmjs.com and its ilk turn into more a reference site than a package manager backend soon.
charcircuit: Assembly is still source code so really it comes down to if the copy protection is obscuring the executable code to the point where the LLM is not able to retrieve it on its own. And if it can't someone motivated could give it the extra help it needs to start tracing how outside inputs gets handled by the application.
dangus: First we blamed AI for layoffs, next we are blaming AI for the AI bait and switch.It's entirely possible this CEO sincerely believes this, but that means you as a potential customer should stay away: now you know that the CEO of this company has no idea how technology works even at an executive level and/or that he doesn't consult his experts before making decisions.
pixel_popping: That's literally not it, a CEO can know how technology work and not apply it for its management, many people do things they "dislike" or don't believe in everyday.
cadamsdotcom: > Security testing has to become an automated, integral part of the CI/CD pipeline. When a developer opens a pull request, an AI agent should immediately attempt to exploit it. When infrastructure changes, an AI should autonomously validate the new attack surface. You do not beat automated attackers by turning off the lights; you beat them by running better automation on the inside.This feels like the core of the article, but it doesn’t prove the need for open source.
simonreiff: Is there any recent research on whether open or closed-source projects are more secure? I am genuinely curious if anyone has studied the question.
reenorap: All content is going to go behind paywalls.There is zero incentive or reason for content creators to let AI slurp their content for free and distribute it and get all the money from it.Everything new will be licensed and if AI companies want access to it, they will need to pay for it, just like we will.
pixl97: Of course this neglects why mostly free things that were posted on the internet generally won. Take Microsoft for example. All their money makers are licensed, yet at the same time you can download almost every single one for free and install it.The people that go behind paywalls don't realize how much they'll have to spend on marketing to catch up to those that are open.And that's only frames the current state, where models are very expensive to train. Once model training is close to the point where a group of individuals can afford it, it's pretty much game over for our current paradigm. The software police will be running around trying to play whack-a-mole on open weight models with people all over the world.
themafia: > The real solution: fight fire with fireWhich works if you assume that AI can find 100% of your bugs.It can't. So this is a complete waste of your time and will hide actual bugs behind a layer of confidence _and_ obscurity.You're going to actually have to sit down and figure out how to provide real security in your product while earning profits. This is called "work." I understand Silicon Valley would like to earn money and not work. I am eager for these people to get their comeuppance.
pradn: Brilliant piece of content marketing:1) Pulls you in with a catchy title, that at first glance seems like a dunk on Cal.com (whatever that is).2) Takes the "we understand your pain" approach to empathize w/ Cal.com, so you feel like you're on the good vibes side.3) Provides a genuine response to the actual problem Cal.com is dealing with. Something you can't dismiss out of hand.4) But in the end of the day, the response aligns perfectly with the product they're promoting (a click away to the homepage!)This mix of genuine ideas and marketing is quite potent. Not saying this is all bad or anything, just found it a bit funny. The mixed-up-ness is the point!
shevy-java: Is it good marketing though? I mean personally I do not use AI, and I don't think this opinion of mine will change. I can't look into the future, but right now I don't use nor do I depend on AI. I guess it may work for some people, but even then I am unsure whether that is really good marketing. Riding on a hype train (which AI right now still is) is indeed easier, so that has to be considered.
BloondAndDoom: They are in HN front page, therefore it’s good marketing.
mdp: Exactly. I respect their decision to go closed source if that's what they need to do to make it a viable business, but just be honest about it. Don't make up some excuse around security and open source.
renewiltord: You should be honest about your own personal financial incentive in making these posts.
kreco: I'm sad to see this article being so upvoted while being kind of empty.The real content could fit in a comment.
janalsncm: Reading between the lines, it seems like they were working with cal.com and used red team bots to find vulnerabilities in cal.com’s code. And they probably found bugs a lot faster than cal.com could fix them. So the CEO balked at the estimated cost of fixing and took his ball home.This article is effectively an announcement that cal.com is riddled with vulnerabilities, which should be easy to find in an archive of their code.
jongjong: I decided to not open source my latest project but it has nothing to do with security concerns. My code is perfectly secure and bug-free.My concern is mostly financial. Most people would be in a better position to monetize my software than I am... Using AI to obfuscate the origin while appropriating all the key innovations. I wouldn't get any credit.Also, I'm not really interested in humans anymore. I have human fatigue.
flkiwi: > My code is perfectly secure and bug-free.I mean, bold statement but statistically speaking it's almost certainly incorrect. I will say that, irrespective of whether source is open or closed, I would be deeply skeptical of a project that made this assertion.
robocat: I assumed they were trying to be humorous . Although I find that type of humour obnoxious enough that it would put me off the project.
lelanthran: > Closed source software won't receive any reports, but it will be exploited with AI.What makes you so sure that closed-source companies won't run those same AI scanners on their own code?It's closed to the public, it's not closed to them!
ihaveajob: More eyes, more chances that someone will actually use the tools. Also, the tools and how you use them are not all the same.
phendrenad2: [delayed]
440bx: As someone who works on closed source software and has done for a couple of decades, most companies won't even know about that and of those who do only a fraction give enough of a shit about it to do anything until they are caught with their pants down.
