> Closing your source code does not stop an AI from probing your API or finding an authorization bypass in your webhooks.

I see this trope a lot in security discussions. “Obscurity isn’t security” or “since you can’t protect against X you may as well do Y”.

This is a harmful trope, which discourages perfectly good protections. Sure, closing source is not a perfect protection, but it is a defense against a large band of attacks.

Think of the entire field of potential vulnerability probes attackers have. Closing the source closes many of them off, likely most of them.

A pen-tester model with implementation will be loads more effective than one with only a black box. And that will give cal.com time to run the pen testing model on the source and address the vulns , hopefully before they are exploited.

I tested this myself, first using black box model attacks, secondly using the source code. The model with the source found and exploited the vulns instantly . The model without failed.

The lesson is: obscurity is not security ALONE, but it is a component of security.