Cal.com Goes Closed Source: Why AI Security Is Forcing Our Decision | Cal.com - Scheduling Software for Online Bookings
cal.com
Cal.com goes closed source after 5 years. Here’s why rising AI-driven security risks and vulnerability discovery are forcing us to protect customer data.

After five years as open source champions, Cal.com is going closed source. This wasn’t an easy decision, but in the age of AI-driven security threats, protecting customer data has to come first. Cal.diy will continue as an open option for hobbyists.

  • Ledivin@lemmy.world
    341·
    4 days ago

    This doesn’t really solve the problem. Security through obscurity has always been the laziest and least effective method to secure your code

    • Bakkoda@lemmy.world
      6·
      4 days ago

      Reduced staffing always leads to this. Less code review happens no matter what so it’s a lose lose.

  • the_crotch@sh.itjust.worksEnglish
    15·
    4 days ago

    If AI scanning code for vulns is the problem, why don’t the developers have AI scan their code for vulns before release?

    • Deebster@infosec.pub
      10·
      4 days ago

      They do give a clue as to a reason/excuse why not in the article:

      Each [AI security] platform surfaces different vulnerabilities, making it difficult to establish a single, reliable source of truth for what is actually secure.

      Also, they come up with so many false positives that it’s a huge job to check over the reports for something usable.

      • Ledivin@lemmy.world
        9·
        4 days ago

        That’s literally just pen testing, though. You search through tons of holes just to find the tunnel you were going down was blocked and not an issue.

    • unmagical@lemmy.ml
      7·
      4 days ago

      I asked this at my company wide security training session. The answer I received was that 0 days are hard to detect which is what makes them dangerous. Well duh, you just told me criminals were using currently available open source AI tools to find them. A total non answer was provided.

      So I just used the company mandated AI to scan or source code for vulnerabilities and patched the 2 it found.

  • hitmyspot@aussie.zone
    7·
    4 days ago

    AI being used to scan for vulnerabilities should not make a difference. The same AI that black hatters can use can be used bobwhite hat security.

    Sure, it makes finding vulnerabilities easier in the short term but the concept of open source makes vulnerabilities less likely in the long term.

    This is a bad call which will likely be damaging for them and for the community.

  • originalucifer@moist.catsweat.com
    33·
    4 days ago

    im very confused, can any developers comment?

    isnt this literally the reason to be open source? that vulnerabilities can be scanned and fixed publicly.

    that there is now tooling that can lightspeed accelerate the detection of bugs shouldnt change that fact… or am i missing something?

    • TacoEvent@lemmy.zipEnglish
      30·
      4 days ago

      Cal.com hasn’t been truly open source for awhile despite the marketing. Just the barest minimum of the app is open source. I imagine this is a way to absolve themselves of maintenance responsibility on the public repo.