Discourse co-founder Sam Saffron drew a hard line this week: the company is staying open source, full stop. The post was a direct response to Cal.com's decision to abandon open source, which argues that AI has made open source "too dangerous" for SaaS companies. Cal.com's argument is that AI scanners can find and exploit vulnerabilities at near-zero cost now, so hiding your code buys you time. Saffron thinks that's the wrong read.
He's not dismissing the threat. Discourse has been running AI security scans with GPT-5.3 Codex, GPT-5.4, and Claude Opus 4.6, and finding real problems. Their last monthly release included fixes for 50 security issues caught during multi-day scans with GPT-5.4 xhigh. Saffron acknowledges that AI can surface in hours what used to take human researchers weeks. His point: those same AI tools don't need your source code to find vulnerabilities. They work fine against compiled binaries and the JavaScript your browser receives on every request. Closing your repo mostly just shrinks the pool of defenders who can inspect the full system.
The core argument is about defensive capacity. When code is public, anyone from your security team to outside researchers can run AI scans against it. When it's closed, only your internal team has that access, while attackers can still probe from the outside. Saffron also notes that the world's most critical infrastructure runs open source under constant attack. Linux gets hardened precisely because so many people can see it. Discourse has been GPLv2 for 13 years, serving over 22,000 communities, and Saffron says they haven't seen evidence that public code made them less secure.
He's blunt about why companies actually go closed source: competitive pressure and investor demands, plus the governance headaches that come with public code. These are real business problems. But wrapping them in a security argument doesn't make them security decisions. Discourse is betting that AI favors the side with more defenders, not fewer.