LLM-powered scanners are hitting OSS projects at 10x historical vulnerability submission rates, forcing maintainers into permanent reactive security mode.
Key Takeaways
Metabase went from 10 security submissions/month to 10/week starting January 2026, with higher signal-to-noise ratio and markdown reports that read as LLM-generated.
Any disclosed vulnerability must now be treated as already public: if Claude Code found it, Codex will too, so patch immediately regardless of coordinated disclosure timelines.
Cal.com moving closed source is a direct response; more commercial OSS operators are likely to follow to escape the reactive patching burden.
Non-commercial OSS maintainers are hit hardest: no paid staff for 4am Saturday patches, no bug bounty revenue to offset triage costs.
OSS users should treat every dependency as having an undisclosed vulnerability this quarter: pin deps, enforce least privilege, invest in observability, and budget for frequent upgrades.
