Félix Malfait

Open source isn't dead but it's true that our security model is. Right now most SaaS products put all tenants on shared infrastructure. A free signup from a throwaway email often sits on the same database as a paying customer with sensitive data. If all code becomes more vulnerable then maybe the question is: when a breach does happen, how do we mitigate the scope/impact? Infrastructure is probably the most under-utilized lever outside of Enterprises. At least SaaS will need to adopt standards inspired by how AWS handles service limits on new accounts, or how Stripe graduates merchants through risk tiers. We're currently exploring progressive tenant isolation on our cloud offering. The idea is simple: tenants earn trust over time and get moved into increasingly secure pools. A job evaluates security scores based on signals — KYC completed, payment history, usage patterns, anomalous behavior. New signups start sandboxed. Verified tenants graduate. Enterprise gets private endpoints. But not sure if shared infrastructure even makes sense for most B2B applications (especially if you don't have a free tier). Starting at $20/month you can probably get a dedicated instance for each customer and give full network isolation from day one. Then open source makes even more sense becaus we're back to the traditional self-hosting model. But the reason SaaS won over on-premise is that we were not able to build the right tooling to make upgrades and development easy. Our ecosystem is designed around shared databases with tenant_id columns. Managing a fleet of isolated instances, deploying migrations to thousands of tenants, monitoring across all of them, we don't really have the good framework for that. But it's a problem worth solving!

No issue with your business decision but stop framing it as a moral imperative. Tons of software will stay open source (including Twenty). It is true that the security risk is growing for all software, but there are more interesting and nuanced conversations to have than "open source is dead." For example, https://t.co/a4NTTNTKH3 could separate the public booking API from the private management API, then protect that management layer at the network level ; enterprise customers on private endpoints, free-tier/low trust users on a different isolated network, etc. This has a real cost, and it's fair to say not every company can afford to build that infrastructure. But it should be a conversation about engineering tradeoffs, not a declaration that open source is over.

Love you guys but you’re better than this "open source is dead" shitposting. Security by obscurity has never been a good solution. Closing the repo buys time but at the end of the day if the vulnerabilities remains then AI will also make it much easier to reverse engineer at the API layer / perform mass injection, etc.

Hey Chris, you can use it in prod with real customers without paying anything (for example you could create a cloud offering competing directly with https://t.co/fV9sU3DABu). The only limitation today is on SSO and our implementation of Stripe Billing. Happy to discuss on a PR if you want to suggest changes, I agree wording could be improved