AI changed software security.
It's made vulnerability discovery faster, cheaper, and more widely available.
The threat surface is real, and we're not dismissing it.
But we don't believe going closed source is the answer.
The argument for hiding code = if attackers can read it, AI can help them exploit it faster than you can patch it.
But attackers don't need your repository to study your product.
They can inspect browser-delivered JavaScript, API contracts, client-side flows, validation logic, mobile clients, compiled binaries, and the behavior of the running system.
A SaaS product is never fully hidden.
Closing a repository might obscure some server-side implementation details.
But it won't make the system invisible.
What it mostly does is reduce the number of people who can help defend it.
Open source allows more people to inspect, audit, report, patch, and improve the software.
That matters more, not less, in an AI-accelerated security environment.
The world’s most important internet infrastructure already runs on open source:
Linux, PostgreSQL, Redis, Ruby, Rails, Ember, and countless other projects are scrutinized constantly by attackers, researchers, vendors, contributors, and maintainers.
They are attacked relentlessly.
But they're also hardened relentlessly.
Transparency is not the same thing as magic, but transparency enables a much larger defensive response.
AI changes the security calculus, but we believe it favors open source.
If code is open,
- Our team can scan it.
- Our contributors can scan it.
- Independent researchers can scan it.
- The community can inspect the full picture.
That might not guarantee that defenders always get there first.
But it dramatically increases the number of people who can find real problems early.
At Discourse, we lean into this reality.
When your code is public, you assume it will be examined closely.
So you invest earlier and more aggressively in finding and fixing issues before attackers do.
That urgency forces better habits, prevents complacency and makes security a living practice rather than a claim.
Discourse launched in 2013 because the state of community software was broken.
Forums were stuck on aging codebases, weak upgrade models, and security assumptions from another era.
Meanwhile, closed platforms were swallowing community discussion whole.
We built Discourse as open source because community software should belong to the communities using it.
Not to whatever platform happens to be hosting it this year.
Thirteen years later, more than 22,000 communities run Discourse.
Tiny startups, fortune 500 companies, AI labs, private organizations and everything in between.
In 13 years of running Discourse in the open, we have not seen evidence that public source code made us less secure.
We think the future of security belongs to teams that can respond fast, learn fast, and let defenders use the best tools available.
We've done it for 13 years.
We're going to keep doing it.
If you enjoyed this thread you can read more here:
https://blog.discourse.org/2026/04/discourse-is-not-going-closed-source/
Discourse
