Open source is dead now?

· video · Source ↗

Summary based on the YouTube transcript and episode description.

Theo (t3.gg) argues Cal.com closing its source is a temporary security band-aid that AI will eventually render useless anyway.

  • Cal.com, a T3 stack flagship and best-known open-source Calendly alternative, closed its codebase citing AI-enabled exploit automation.
  • Anthropic’s unreleased Claude Mythos found a 27-year-old vulnerability in OpenBSD—one of the most security-hardened codebases in existence.
  • Mythos completed a 32-step simulated corporate network takeover in 3 of 10 attempts; ASI budgeted $12,500 per attempt at 100M tokens.
  • AI collapses the domain-knowledge barrier for finding exploits: attackers previously needed ~7/10 security AND domain skill; now 4/10 security alone may suffice.
  • Closing source only buys time—once models improve at decompilation and deobfuscation, the advantage disappears entirely.
  • Security is now a token-spend arms race: defenders must spend more tokens hardening than attackers spend exploiting.
  • FFmpeg labeled Google’s AI-found CVE reports as ‘CVE slop’ and ignored them for 3+ months—Theo warns this attitude invites targeted exploitation.
  • OpenAI released GPT-5.4 Cyber specifically for code hardening; access is whitelisted, giving defenders a head start before the model reaches bad actors.

2026-04-22 · Watch on YouTube