Open source is dead now?

Cal.com, a prominent open-source scheduling platform and flagship example of a full-stack TypeScript app, has closed its source code citing AI-driven security threats. The author explores why this decision was made: AI models have dramatically lowered the barrier to finding exploits by eliminating the need for deep domain-specific knowledge, meaning anyone with basic security knowledge and token budget can now find real vulnerabilities in open-source codebases. The post covers Anthropic's Claude Mythos model finding a 27-year-old OpenBSD vulnerability, the emerging 'proof-of-work' framing for cybersecurity (defenders must outspend attackers in tokens), and a proposed three-phase development cycle of build, review, and harden. The author argues closing source only buys temporary protection, criticizes FFmpeg's dismissal of AI-generated security reports as 'CVE slop', and urges the community to keep fighting for open source rather than letting AI security fears drive projects closed.