AI bug hunting pushed HN back into the open-source security debate

Open Source Isn't Dead climbed to 351 points on HN because it hit a nerve that many maintainers are already feeling. The Strix post uses Cal.com’s move away from open source as the hook, but the bigger claim is about AI security: automated vulnerability discovery changes the cost curve, yet hiding source code does not make the running product disappear.

Community discussion noted that this is not theoretical for small projects. One open-source maintainer described a recent rise in security reports that appeared to be AI-assisted. Many were edge cases, but some were real and got fixed. That is the pro-open argument in practical form: noisy review is still review, and a closed service can still be probed, fuzzed, and exploited without receiving the same stream of outside fixes.

The pushback was just as important. Several commenters suspected that “AI finds bugs at scale” may be a convenient security story for a harder business problem. Open Source SaaS is difficult to monetize, and AI makes it easier for competitors, users, or attackers to read, adapt, and operationalize code. Others defended a narrower form of obscurity: not as a primary security model, but as one extra cost imposed on an attacker who now also pays in tokens, time, and tooling.

The useful takeaway is not that every project should stay open or close up. The thread points to a more specific maintenance burden. Open projects need better triage for automated reports, reproducible proof, and continuous scanning that does not drown maintainers. Closed projects need a credible answer for how they replace public audit pressure. HN upvoted this because AI did not settle the open-source security argument. It made the tradeoffs more expensive and harder to hand-wave away.