AI has changed vulnerability discovery, but closing source code does not remove the attack surface. Continuous AI defense is the better response.

Hacker News is a community-driven platform for sharing and discussing technology news, startups, and programming-related topics. Through user submissions and comments, Hacker News offers insights into emerging technology trends, industry developments, and entrepreneurial ventures. Readers can participate in discussions, share their insights, and stay informed about the latest advancements in technology and innovation.

Hacker News

Cal.com announced it is closing its source code, citing AI-automated vulnerability discovery as a near-zero-cost threat. Strix, an open-source AI security platform, disagrees with this conclusion. Their argument: black-box AI agents don't need repo access to exploit live endpoints, APIs, or business logic flaws. Closing source code removes helpful community scrutiny while leaving the attack surface fully exposed. The real answer is integrating AI-driven security testing directly into CI/CD pipelines — continuous automated defense to match continuous automated attack. Open source remains viable; the solution is fighting AI threats with AI defenders, not obscurity.

Open Source Isn't Dead.

Black-box AI does not care if your repo is private

Security through obscurity is a losing bet against automation