Discourse Is Not Going Closed Source

Discourse doubles down

It has been reported that Cal.com announced it is closing its codebase, saying AI has made open source "too dangerous" for SaaS companies. In response, Discourse's founder Sam Saffron has made a blunt counterpoint: after 13 years of building in public, Discourse will stay open source under GPLv2. The tone is firm — not a shrug but a stance. Open, not shuttered.

The security debate

Cal.com's argument is straightforward: if attackers can read your code, AI will exploit it faster than you can patch, so hide the code and buy time. Discourse disputes that logic. It has been reported that the Discourse team used GPT-5.3 Codex, GPT-5.4, and Claude Opus 4.6 to find and fix latent issues in their public repository, and it has been reported that OpenAI said a Codex Security preview scanned over 1.2 million commits and flagged hundreds of critical and thousands of high-severity findings. The point: AI accelerates both offense and defense — and much of a web app's behavior is already exposed in browsers and APIs, so secrecy is often a paper shield.

What it means for the industry

The bigger question is not whether hiding code buys a little time, but who gets access to the new, powerful scanning tools. Transparency invites more defenders — researchers, maintainers, cloud vendors — to harden systems, the Discourse team argues, pointing to Linux and other critical infrastructure as proof that exposure can lead to resilience, not ruin. Is closing source a sensible moat, or a retreat that weakens the commons? The debate is feeding a larger industry reckoning about how open-source projects and SaaS vendors adapt when AI changes the rules overnight.

Sources: discourse.org, Hacker News