While Cal.com closes its codebase citing AI-powered security threats, Discourse reaffirms its commitment to open source, arguing transparency enables better defense against AI-driven attacks.
)
In a bold move that bucks the growing trend of open-source companies closing their codebases, Discourse has reaffirmed its commitment to open source, directly challenging the narrative that AI-powered security threats make transparency a liability.
The AI Security Paradox
The debate intensified when Cal.com announced they would be closing their codebase, citing concerns that AI has made open source too dangerous for SaaS companies. Their argument is straightforward: AI tools can now scan and exploit vulnerabilities at near-zero cost, and transparency has become exposure.
Sam Saffron, co-founder of Discourse, doesn't buy it. "I do not agree with the decision that closing source is the solution to the security storm that is upon us," he writes. "I do not agree it is the correct narrow decision for SaaS providers, and I do not agree it is the correct decision for the industry at large."
Why Open Source Might Be the Better Defense
Saffron's argument centers on a counterintuitive point: the same AI systems that can find vulnerabilities in open source code can also find them in closed source systems. They work against compiled binaries and black-box APIs just as effectively.
"Closed source has always been a weaker defense for SaaS than people want to admit," Saffron explains. "A web application is not something you ship once and keep hidden. Large parts of it are delivered straight into the user's browser on every request: JavaScript, API contracts, client-side flows, validation logic, and feature behavior. Attackers can inspect all of that already, and AI makes that inspection dramatically cheaper."
The Numbers Tell a Story
The data supports this perspective. OpenAI's Codex Security scanned over 1.2 million commits across external repositories in a 30-day beta period, identifying 792 critical findings and 10,561 high-severity findings. That's a staggering volume of vulnerability discovery.
But here's the crucial question: who gets to use those tools? If your code is open source, your security team can scan it, your contributors can scan it, and independent researchers can scan it too. That dramatically increases the number of people who can help find real problems early.
Discourse's 13-Year Track Record
Since launching in 2013, Discourse has built a compelling case study. Jeff Atwood, Robin Ward, and Sam Saffron started the project because community software was stuck in the early 2000s, running on decade-old PHP codebases with security and upgrade models from another era.
Today, more than 22,000 communities run Discourse - from tiny startups to Fortune 500 companies. The entire codebase is on GitHub, GPL-licensed, with hundreds of outside developers contributing security patches.
"In 13 years of running Discourse in the open, we have not seen evidence that public source code made us less secure," Saffron notes. "We have had vulnerabilities, of course; every substantial piece of software does. But the pattern has generally been the one you would hope for: bugs were reported, coordinated disclosures were handled responsibly, CVEs published, and fixes shipped quickly."
The Real Reasons Companies Close Source
Saffron is sympathetic to Cal.com's position but argues they're framing a business decision as a security imperative. "I want to be fair to Cal.com here, because I don't think they're acting in bad faith. I just think the security argument is a convenient frame for decisions that are actually about something else."
Those "something elses" include competitive pressure (competitors can read your architecture), governance challenges (open-source communities push back), and investor concerns (why give away what they funded).
"These are all legitimate business pressures, and I don't judge anyone for feeling them," Saffron writes. "But they're business decisions, not security decisions."
How Discourse Handles Security in 2026
Discourse has embraced AI-powered security scanning as a core part of their defense strategy. Every release cycle, their team deploys the latest AI vulnerability scanners for multi-day deep analysis of their codebase.
The process is methodical: they loop through hundreds of controllers, looking at each independently for vulnerabilities. For each candidate vulnerability found, they validate it by directing an AI agent to write a failing test inside a container running a full working Discourse environment.
"Only if it is able to demonstrate that the issue it found is real will we count it as an issue and escalate it to the human queue," Saffron explains. "A huge advantage is that we also get a candidate working patch for us to validate during this process."
The economics are compelling. While a full-source-code scan for Discourse could cost $2,000 at retail, the same scan costs only $50 on a $200-a-month plan. OpenAI and Anthropic also offer plans to many open-source companies and contributors.
The Biological Immune System Analogy
Saffron draws an elegant parallel between open source security and biological immune systems. "Biological immune systems work because they're exposed to threats. They encounter pathogens and build memory. An immune system that's never been challenged will collapse at the first real infection."
Open-source codebases work the same way - vulnerabilities that get found and patched make the software harder to attack. Security researchers who read the code add layers of defense, and public audits build institutional knowledge about where the weak points are and how to shore them up.
What We Owe the Ecosystem
Discourse exists because of open source. "We were built on Ruby, on Rails, on PostgreSQL, on Redis, on Ember, on Linux, and many other projects. All of them were open and maintained by communities that believed in transparency. We owe them the same thing back."
Cal.com acknowledged this in their announcement, saying closing their code "is not a rejection of what open source gave us." But Saffron argues that in practice, that's exactly what it is. "You can't take five years of community contributions, close the gate, and claim you're grateful. I don't think it works that way."
The Courage to Be Open
As AI continues to reshape the security landscape, Discourse is betting that transparency, not obscurity, is the better defense. "Open source isn't dead," Saffron concludes. "But it takes courage to do security properly instead of retreating behind a locked door and hoping nobody has a key. We've done it for 13 years and we're going to keep on doing it."
The debate over open versus closed source in the age of AI is far from settled. But Discourse's position is clear: in a world where AI makes vulnerability discovery dramatically cheaper, the stronger position is to let defenders use the same tools against code they can actually inspect.
Comments
Please log in or register to join the discussion