| > Closing your source code does not stop an AI from probing your API or finding an authorization bypass in your webhooks. I see this trope a lot in security discussions. “Obscurity isn’t security” or “since you can’t protect against X you may as well do Y”. This is a harmful trope, which discourages perfectly good protections. Sure, closing source is not a perfect protection, but it is a defense against a large band of attacks. Think of the entire field of potential vulnerability probes attackers have. Closing the source closes many of them off, likely most of them. A pen-tester model with implementation will be loads more effective than one with only a black box. And that will give cal.com time to run the pen testing model on the source and address the vulns , hopefully before they are exploited. I tested this myself, first using black box model attacks, secondly using the source code. The model with the source found and exploited the vulns instantly . The model without failed. The lesson is: obscurity is not security ALONE, but it is a component of security. |