Artificial intelligence is rapidly reshaping the landscape of open source security, forcing companies to rethink long-standing development models. In response to growing risks, commercial open source applications are increasingly considering closing their codebases to better protect sensitive data. This shift reflects a broader industry concern that AI-powered threats are exploiting the very transparency that once defined open source innovation.
Traditionally, open source security relied heavily on community collaboration. Developers and researchers would identify vulnerabilities and contribute fixes, creating a collective defense system. However, as AI capabilities advance, attackers are now leveraging automation to scan, analyze, and exploit open code at an unprecedented scale. Consequently, the balance between transparency and security is beginning to tilt.
“Open source security always relied on people to find and fix any problems,” said Peer Richelsen, co-founder of Cal.com, the world’s largest Next.js project. “Now AI attackers are flaunting that transparency.”
Recent developments have further intensified these concerns. For instance, Anthropic’s Mythos model reportedly demonstrated the ability to breach highly secure systems, including OpenBSD, a platform widely recognized for its strong security posture. As a result, organizations are increasingly questioning whether open access to source code creates unnecessary exposure in the age of AI-driven attacks.
“Open source code is basically like handing out the blueprint to a bank vault,” said Bailey Pumfleet, CEO of Cal.com. “And now there are 100× more hackers studying the blueprint.”
Moreover, the growing sophistication of cyber threats has placed open source projects under heightened scrutiny. As one of the largest and fastest-growing open source startups, Cal.com has experienced a significant increase in security demands over the past few months. This trend highlights how open source platforms are becoming attractive targets for attackers seeking valuable data and vulnerabilities.
At the same time, third-party security experts have raised concerns about the inherent risks associated with open source systems. According to Huzaifa Ahmad, CEO of Hex Security, open source applications can be “5–10× easier to exploit than closed” systems. Therefore, organizations must carefully evaluate the trade-offs between openness and security.
As a result of these evolving challenges, the software industry is undergoing a fundamental shift. Companies that maintain open codebases may face increased risks to customer data, while those prioritizing security may choose to restrict access. This tension is redefining how businesses approach software development and data protection.
“We are committed to protecting sensitive data,” Pumfleet said. “We want to be a scheduling company, not a cybersecurity company.”
In line with this perspective, Cal.com has officially announced its transition to a closed source model. By doing so, the company aims to safeguard sensitive booking data and reduce exposure to emerging threats.
“Cal.com handles sensitive booking data for our users,” Pumfleet said. “We won’t risk that for our love of open source.”
Nevertheless, Cal.com is not abandoning open source entirely. To support developers and enthusiasts, the company has introduced Cal.diy, a fully open-source version of its platform designed for experimentation and non-critical use cases. This approach allows the organization to maintain its connection to the open source community while securing its primary application.
Overall, this move underscores a growing industry dilemma: balancing innovation and transparency with the need for stronger security in an AI-driven threat landscape.
Recommended Cyber Technology News:
- IMF Chief Flags AI Cyber Risks to Global Monetary System
- ATIS Launches 5G Zero Trust Policy Framework for Enhanced Security
- Datacom Reveals Cyber Recovery Gaps in New Zealand Firms
To participate in our interviews, please write to our CyberTech Media Room at info@intentamplify.com
