# 开源并未消亡。Cal.com 只是得出了错误的结论

- 来源：Hacker News 热门（buzzing.cc 中文翻译）
- 作者：bearsyankees
- 发布时间：2026-04-16 01:13
- AIHOT 链接：https://aihot.virxact.com/items/cmo0c2wg200l2sli2qzs5e8lg
- 原文链接：https://www.strix.ai/blog/cal-com-is-closing-its-code-due-to-ai-threats

## AI 摘要

Cal.com 近期以"AI 威胁"为由宣布将其开源代码转为闭源，引发业界对开源模式可持续性的争议。文章指出，这一决定仅反映该公司对商业模式的误判，而非开源软件的系统性失败。尽管 AI 技术给开源商业化带来新挑战，但闭源并非应对冲击的唯一或正确选择，开源并未因个别公司的退出而消亡。

## 正文

Open Source Isn't Dead. | Strix

April 15th, 2026

Open Source Isn't Dead.

Alex Schapiro

Today, Cal.com announced they are transitioning their core codebase away from open source. The reasoning provided by their CEO, Bailey Pumfleet, is that AI has automated vulnerability discovery at scale, making code scanning and exploitation "near zero-cost". In this new world, they argue, "transparency becomes exposure."

At Strix, we build autonomous AI security agents. We are an open-source project ourselves, recently crossing 24k stars, and our framework processes over 15 billion LLM tokens daily to find software vulnerabilities. In many ways, our platform is the exact technology Cal.com is worried about.

We have an immense amount of respect for the Cal.com team. Over the last few weeks, we have actually been working closely with them, using Strix to responsibly disclose vulnerabilities we found in their platform. Their engineering team has been incredibly responsive, professional, and genuinely dedicated to protecting their users. We know firsthand that this pivot to closed source is driven by a deep desire to keep their community safe. To honor our responsible disclosure timeline, we will not be discussing the specifics of those unpatched bugs here.

We agree with their premise: AI has fundamentally altered the security landscape. But we fundamentally disagree with their conclusion.

Closing your source code is not the solution to AI-driven security threats.

Here is why retreating from open source will not protect you from AI hackers.

Black-box AI does not care if your repo is private

The assumption behind closing source code is that attackers need to read your code to exploit it. This might have been true for static analysis tools, but modern autonomous AI agents do not work like that.

Tools like Strix excel at black-box and grey-box testing. They dynamically interact with live endpoints, manipulate browser states, analyze network traffic, and uncover complex business logic flaws without ever needing repo access.

Closing your source code does not stop an AI from probing your API or finding an authorization bypass in your webhooks. It just removes the good eyeballs from your codebase while leaving your attack surface completely visible to the bad ones.

Security through obscurity is a losing bet against automation

When code is closed, it relies heavily on internal security teams and periodic, manual pentesting. But as Cal.com correctly noted, attackers now have infinite, tireless AI interns probing for flaws 24/7 at near-zero cost.

If you obscure your code, you are making a bet that your internal team can find and fix flaws faster than an automated swarm of external AI agents can discover them from the outside. Historically, security through obscurity has always failed. Against AI, it will fail exponentially faster.

The real solution: fight fire with fire

Cal.com is right that the throughput of software development has outpaced traditional security. Code is shipped faster than human security engineers can review it.

But the answer is not to hide the code. The answer is to integrate AI defenders directly into the development lifecycle. If AI is bringing near-zero-cost exploitation, the defense must be near-zero-cost, continuous validation.

Security testing has to become an automated, integral part of the CI/CD pipeline. When a developer opens a pull request, an AI agent should immediately attempt to exploit it. When infrastructure changes, an AI should autonomously validate the new attack surface. You do not beat automated attackers by turning off the lights; you beat them by running better automation on the inside.

Open source is not dead

The era of relying solely on "many human eyeballs" to make bugs shallow might be ending. But open source is not dead.

We are keeping Strix open source because we believe transparency makes us stronger. The tools to secure the next generation of software need to be as accessible as the tools used to attack it. Hiding code will not stop the AI hackers, but empowering developers with their own autonomous security agents just might.

If your team wants to see what continuous AI-driven security testing looks like in practice, give Strix a try for free.

Star us on GitHub →Try Strix for free →
