Open source is dead now?

TL;DR

Cal.com closed its source code citing AI-powered exploit risks, but the speaker argues this only buys temporary time and threatens open source's future.

Key Points

• 1.Cal.com abandoned open source due to AI security fears. The scheduling platform, one of the best-known full-stack TypeScript open-source apps and an early T3 stack example, closed its codebase, releasing only a hobbyist MIT-licensed fork called Cal.DIY.
• 2.AI has collapsed the domain-knowledge barrier to finding exploits. Previously, attackers needed a 7/10 in both security and domain knowledge; now a 4/10 in security and near-zero domain knowledge is enough because AI understands codebases deeply.
• 3.Anthropic's Claude Mythos proved the threat is real. By scripting agents to start from every file in a codebase, Mythos found a 27-year-old vulnerability in OpenBSD — one of the most security-focused codebases in existence — without elite human expertise.
• 4.Closing source only buys temporary time, not real safety. The speaker argues hiding code bumps required domain knowledge from ~1 back to ~4 out of 10, but as AI decompilation improves, that advantage will disappear again soon.
• 5.Cybersecurity is now a proof-of-work spending race. The AI Security Institute found Mythos completed a 32-step corporate network takeover in 3 of 10 attempts at $12,500 per run, with no sign of diminishing returns at 100 million token budgets.
• 6.Open source projects face a new mandatory hardening phase. A three-stage development cycle is emerging — development, code review, and autonomous hardening — where human input limits the first phase and token budget limits the last, making security an ongoing cost.
• 7.Dismissing AI-found CVEs, like FFmpeg did, is dangerous. Google spent months flagging a real exploit in FFmpeg's widely-included codec; FFmpeg ignored it and blamed Google publicly, illustrating how maintainer resistance to AI security reports creates exploitable gaps for bad actors.