Susan Moeller

12

Michael Arnaldi@MichaelArnaldi·14h

@zeeg @pumfleet Quote: “System security should not depend on the secrecy of the implementation or its components” csrc.nist.gov/pubs/sp/800/12… At best security trough obscurity is a delay mechanism

English

0

67

David Cramer@zeeg·1d

I think they mean well, but closed source doesnt improve security at all. In fact, most security researchers dont even bother digging into the source code because its not needed. If you told me you're worried about folks ripping off your product because its source available and you're not sure you can defend, identify, prosecute, etc that would make a lot more sense.

Open source is dead. That’s not a statement we ever thought we’d make. @calcom was built on open source. It shaped our product, our community, and our growth. But the world has changed faster than our principles could keep up. AI has fundamentally altered the security landscape. What once required time, expertise, and intent can now be automated at scale. Code is no longer just read. It is scanned, mapped, and exploited. Near zero cost. In that world, transparency becomes exposure. Especially at scale. After a lot of deliberation, we’ve made the decision to close the core @calcom codebase. This is not a rejection of what open source gave us. It’s a response to what risks AI is making possible. We’re still supporting builders, releasing the core code under a new MIT-licensed open source project called cal. diy for hobbyists and tinkerers, but our priority now is simple: Protecting our customers and community at all costs. This may not be the most popular call. But we believe many companies will come to the same conclusion. My full explanation below ↓

English

25

3

137

10.7K

Susan Moeller@SusanCMoeller·8h

has anyone from the #OSS community made an argument different than "it's fine. nothing to see here"? The only chatter I'm seeing is based on a blind faith in things as they were being good enough for the future.

Open source is dead. That’s not a statement we ever thought we’d make. @calcom was built on open source. It shaped our product, our community, and our growth. But the world has changed faster than our principles could keep up. AI has fundamentally altered the security landscape. What once required time, expertise, and intent can now be automated at scale. Code is no longer just read. It is scanned, mapped, and exploited. Near zero cost. In that world, transparency becomes exposure. Especially at scale. After a lot of deliberation, we’ve made the decision to close the core @calcom codebase. This is not a rejection of what open source gave us. It’s a response to what risks AI is making possible. We’re still supporting builders, releasing the core code under a new MIT-licensed open source project called cal. diy for hobbyists and tinkerers, but our priority now is simple: Protecting our customers and community at all costs. This may not be the most popular call. But we believe many companies will come to the same conclusion. My full explanation below ↓

English

23

Susan Moeller@SusanCMoeller·10h

Genuinely curious to see more detailed defense of security through transparency that isn’t based on long standing community wisdom. That is necessarily biased toward what WAS true. What’s the rationale in current reality where there are motivated malicious actors in the picture at massive scale

English

0

16

Michael Arnaldi@MichaelArnaldi·14h

@pumfleet @calcom Security through obscurity is never a good idea, sure having access to the source code makes hacking it easier but it also allows for more eyes to report issues faster, and truth to be told 90% of hacks are because of people not because of software. Anyway whatever works for you!

English

0

7

265

Bailey Pumfleet@pumfleet·1d

Open source is dead. That’s not a statement we ever thought we’d make. @calcom was built on open source. It shaped our product, our community, and our growth. But the world has changed faster than our principles could keep up. AI has fundamentally altered the security landscape. What once required time, expertise, and intent can now be automated at scale. Code is no longer just read. It is scanned, mapped, and exploited. Near zero cost. In that world, transparency becomes exposure. Especially at scale. After a lot of deliberation, we’ve made the decision to close the core @calcom codebase. This is not a rejection of what open source gave us. It’s a response to what risks AI is making possible. We’re still supporting builders, releasing the core code under a new MIT-licensed open source project called cal. diy for hobbyists and tinkerers, but our priority now is simple: Protecting our customers and community at all costs. This may not be the most popular call. But we believe many companies will come to the same conclusion. My full explanation below ↓

English

534

165

2K

1.3M

Susan Moeller@SusanCMoeller·10h

@huge_icons @pumfleet @calcom Thought experiment—what if the best security fix is to close?

English

8

Hugeicons@huge_icons·13h

@pumfleet @calcom real fix is better security practices, not less visibility

English

0

1

80

Susan Moeller@SusanCMoeller·10h

@kuisathaverat @pumfleet @calcom This assumes that everyone auditing is an altruist.

English

4

Iván Fernández Calvo@kuisathaverat·13h

@pumfleet @calcom Close the core code base does not resolve any security issue only hide them, due to that less people can audit the code so it is more insecure.

English

0

17

Susan Moeller@SusanCMoeller·10h

@RockPreddy @pumfleet @calcom In businesses that rely on technology the two decisions are often the same.

English

5

Rock Preddy@RockPreddy·11h

@pumfleet @calcom Closing the source doesn't reduce your risk, it increases it tbw. This is a business, not a technical decision.

English

0

16

Susan Moeller retweetledi

sunil pai@threepointone·1d

I empathise deeply with this stance. Reality meets Idealism. I don't blame them at all.

Open source is dead. That’s not a statement we ever thought we’d make. @calcom was built on open source. It shaped our product, our community, and our growth. But the world has changed faster than our principles could keep up. AI has fundamentally altered the security landscape. What once required time, expertise, and intent can now be automated at scale. Code is no longer just read. It is scanned, mapped, and exploited. Near zero cost. In that world, transparency becomes exposure. Especially at scale. After a lot of deliberation, we’ve made the decision to close the core @calcom codebase. This is not a rejection of what open source gave us. It’s a response to what risks AI is making possible. We’re still supporting builders, releasing the core code under a new MIT-licensed open source project called cal. diy for hobbyists and tinkerers, but our priority now is simple: Protecting our customers and community at all costs. This may not be the most popular call. But we believe many companies will come to the same conclusion. My full explanation below ↓

English

9

4

66

13.5K

Susan Moeller@SusanCMoeller·19h

@belphegor_1384 @pumfleet @calcom With respect, that’s not the primary purpose of the company

English

4

Belphegor@belphegor_1384·23h

@pumfleet @calcom Ah yes the best thing you could do to support open source efforts and the community is to close everything and not help dev teams adapt to a new era.

English

0

171

Susan Moeller@SusanCMoeller·19h

@aryanbaburajan @pumfleet @calcom And risk

English

7

makise kurisu@aryanbaburajan·19h

@pumfleet @calcom what part of keeping the ship afloat do people not understand? yes, cal is buying time for themselves so their users aren't at immediate risks of security attacks. they're not running away from the problems, they're reducing damage.

English

0

38

Susan Moeller@SusanCMoeller·19h

@maceip @pumfleet @calcom Thanks. I’m not a developer and think of this more like a consumer of technology. The starting point in my mind is different and I appreciate you sharing this.

English

7

mac@maceip·23h

@SusanCMoeller @pumfleet @calcom 1) violates the implicit trust established with your community (if you were closing for $ this doesn't matter) 2) vendor lock in: when closed: if you change X, i cant fork to save X 3)transparency and trust-but-verify: what _are_ those cache servers doing?

English

0

1

16

Susan Moeller@SusanCMoeller·23h

@JonSnyderHQ @pumfleet @calcom Yes— we are all functioning in a psychopathic hurricane environment. Making decisions and calling it like we see it and not knowing if the whole thing will spin a different direction in the next week.

English

12

Jon@JonSnyderHQ·1d

@pumfleet @calcom This had to be a tough decision. Good luck going forward. AI is such a disruptor its hard to see how things will turn out.

English

0

1

21

Susan Moeller@SusanCMoeller·23h

@smakosh @pumfleet @calcom @llmgateway That’s the kind of statement you can live to regret— rate of change is so fast right now that “always” and “forever” statements are dangerous and/or laughable.

English

0

37

Smakosh@smakosh·1d

@pumfleet @calcom @llmgateway will always stay open-source

English

0

117

Susan Moeller@SusanCMoeller·23h

@AkshayApsingi @pumfleet @calcom I think it will. What will replace this model? That’s what’s interesting me at the moment— what’s next?

English

1

27

Akshay_@AkshayApsingi·1d

cal once paid developers to fix live issues in github, anybody with internet connection and some coding skills was curious enough to understand the product end to end and fix issues and make some $$$. Now its closed source - vibe coders just wanted open source contribution in their Resume and flooded with 100s of PRs, Many possible vulnerabilities in so many PRs >Code became entire surface area for attack >team can't keep up with risk of attack for every PR that gets merged, Even Human developers have high chance to miss these. > Realise only few need to be eligible to read/write code, cause everybody is just trying to push slop. > make it closed source, cut down AI slop, reduce cyber attack threat is this going to happen with more community projects?

English

0

255

Susan Moeller@SusanCMoeller·23h

@maceip @pumfleet @calcom Curious why you think this creates distrust— I think it’s the opposite

English

0

11

mac@maceip·23h

@pumfleet @calcom ok so when you do this you lose customer trust -- which you specifically have a lot of already, so maybe its fine. but its a high price to get... what exactly?

English

0

29

Susan Moeller@SusanCMoeller·23h

@maxintechnology @pumfleet I dont see this as a statement on what is best forever. The speed of change is so fast now that permanent decisions are kind of a laughable idea.

English

0

11

Max Wolter@maxintechnology·1d

@pumfleet It's not about whether it's popular or not. It's about whether it's the right decision. If you keep the source closed while you wait it out and weather the storm, fine. If you think closed source is now the superior model permanently, you don't understand the new environment.

English

0

65

Bailey Pumfleet@pumfleet·1d

Appreciate the support 🙏 I knew this would be an unpopular decision but I care way more about our customers and the trust we have with them than random haters on Twitter

austin petersmith@awwstn

everybody is furious with @peer and @pumfleet for doing this well, everybody except their actual customers who care a lot more about security than they do about indie devs having the right to self-host enterprise software this is clearly the right call

English

0

13

5.3K

Susan Moeller@SusanCMoeller·1d

@hrkrshnn @calcom Agree— if you think your best way to steward customer data is closed source, you shut that door and fast. Disagree about the premise if you want but the action is the right one every day of the year.

English

1

71

Hari@hrkrshnn·1d

The response to this is so polarizing. What O/S maintainers are facing right now is real. The looming security threats are real. For context, we built a frontier zero-day factory called Apex. Yes, factory: you feed in code or other assets, let it rip for hours or days, and get zero-days out of the system. The tool has received almost a million dollars from bug bounty programs. The cost of hacking is slowly going to zero, and defenders today are at a disadvantage compared to attackers. If you're a business, the expectation to ship fast is going through the roof with agents building software. If you have customer data or money worth protecting, it's irresponsible to be ignoring what's happening in security right now. It's commendable for @pumfleet and @calcom to be having this difficult conversation out in the open. The counterpoints 1. "But Codex/Claude/Gemini is very good at decompiling, so this doesn't achieve anything": right now, it's an order of magnitude easier to find bugs in O/S code than decompiled or reverse-engineered ones. We've first hand experience here, having found severe bugs in both O/S and closed sourced assets with our 0-day factory. Closed source assets are still hit or miss. But I expect the gap to be lower as we work more. But O/S will always be easier to find bugs in and exploit compared to the reversed version. This applies not just to AI tools, but also for humans. 2. "Security through obscurity doesn't work": I agree, what @calcom and many others are doing is buying time. We're living in a unique moment in time where old dogmas need to be questioned. We went from "AI can't do basic" to "frontier models solving unsolved math problems" pretty quickly. There's a similar phenomenon happening in security

Open source is dead. That’s not a statement we ever thought we’d make. @calcom was built on open source. It shaped our product, our community, and our growth. But the world has changed faster than our principles could keep up. AI has fundamentally altered the security landscape. What once required time, expertise, and intent can now be automated at scale. Code is no longer just read. It is scanned, mapped, and exploited. Near zero cost. In that world, transparency becomes exposure. Especially at scale. After a lot of deliberation, we’ve made the decision to close the core @calcom codebase. This is not a rejection of what open source gave us. It’s a response to what risks AI is making possible. We’re still supporting builders, releasing the core code under a new MIT-licensed open source project called cal. diy for hobbyists and tinkerers, but our priority now is simple: Protecting our customers and community at all costs. This may not be the most popular call. But we believe many companies will come to the same conclusion. My full explanation below ↓

English

9

1

18

7.9K

Susan Moeller@SusanCMoeller·1d

Respect for the team here. AI has massively muddied the water. Choosing to protect customers is the right call.

Open source is dead. That’s not a statement we ever thought we’d make. @calcom was built on open source. It shaped our product, our community, and our growth. But the world has changed faster than our principles could keep up. AI has fundamentally altered the security landscape. What once required time, expertise, and intent can now be automated at scale. Code is no longer just read. It is scanned, mapped, and exploited. Near zero cost. In that world, transparency becomes exposure. Especially at scale. After a lot of deliberation, we’ve made the decision to close the core @calcom codebase. This is not a rejection of what open source gave us. It’s a response to what risks AI is making possible. We’re still supporting builders, releasing the core code under a new MIT-licensed open source project called cal. diy for hobbyists and tinkerers, but our priority now is simple: Protecting our customers and community at all costs. This may not be the most popular call. But we believe many companies will come to the same conclusion. My full explanation below ↓

English

2

54

Susan Moeller@SusanCMoeller·1d

Never been a founder, but I've worked for several. The decisions they make are consequential. Deciding based on what's best for the people who trust you enough to pay you for your service is the right choice always.

austin petersmith@awwstn

everybody is furious with @peer and @pumfleet for doing this well, everybody except their actual customers who care a lot more about security than they do about indie devs having the right to self-host enterprise software this is clearly the right call

English

40

Susan Moeller retweetledi

fforres@fforres·1d

I agree 100%. One one hand, @calcom news are really sad to hear. On the other hand... Completely understandable. OpenSource is dead, and will either be rich folks doing it bc they don't need to work, or corporate pseudo-opensource :(

Open source is dead. That’s not a statement we ever thought we’d make. @calcom was built on open source. It shaped our product, our community, and our growth. But the world has changed faster than our principles could keep up. AI has fundamentally altered the security landscape. What once required time, expertise, and intent can now be automated at scale. Code is no longer just read. It is scanned, mapped, and exploited. Near zero cost. In that world, transparency becomes exposure. Especially at scale. After a lot of deliberation, we’ve made the decision to close the core @calcom codebase. This is not a rejection of what open source gave us. It’s a response to what risks AI is making possible. We’re still supporting builders, releasing the core code under a new MIT-licensed open source project called cal. diy for hobbyists and tinkerers, but our priority now is simple: Protecting our customers and community at all costs. This may not be the most popular call. But we believe many companies will come to the same conclusion. My full explanation below ↓

English