GoKawiilCal.com just closed their source code, arguing AI has made open source too dangerous. After 13 years of building Discourse in public, we're staying open. Here's why.
Cal.com have announced they’re closing their codebase and will no longer be an open-source product. Their reasoning is that AI has made open source too dangerous for SaaS companies. Code gets scanned and exploited by AI at near-zero cost, and transparency is now becoming exposure.
I understand where this is coming from; the industry is changing fast. New AIs with new cybersecurity capabilities are being released every few weeks. It's a scary world, and I agree completely that open-source companies need to adapt.
I do not agree with the decision that closing source is the solution to the security storm that is upon us.
I do not agree it is the correct narrow decision for SaaS providers, and I do not agree it is the correct decision for the industry at large.
I want to be clear and firm about the position Discourse is taking. We are open source, we’ve always been open source, and we will continue to be open source.
Ever since Jeff, Robin, and I shipped the first commits to the Discourse repository on GitHub, over a decade ago, the repository has been licensed under GPLv2. And that’s not changing.
The Closed-Source Argument
Cal.com’s position boils down to the claim that if attackers can read your code, AI will let them exploit it faster than you can either harden or patch it, and the forced action you need to take is to hide the code so you can buy time. There’s truth to the threat - AI has changed the speed at which vulnerabilities can be discovered. Over the past few months, our team has found and addressed a very large amount of latent security issues in Discourse using GPT-5.3 Codex, GPT-5.4, and Claude Opus 4.6 in our open-source codebase.
OpenAI and Anthropic are both extremely concerned about the vector, and in response GPT-5.4-Cyber and Anthropic Mythos are being rolled out cautiously.
... continue reading