Cal.com Moves Commercial Codebase to Closed Source, Citing AI Coding Tools as the Reason Public Code Is Now a Security Liability

Cal.com, the open-source scheduling platform that positions itself as a Calendly alternative, announced on April 15 that it is moving its commercial codebase from source-available to closed source. The stated reason: AI coding tools now make public code a security liability. The company simultaneously launched Cal.diy, a stripped MIT-licensed community edition for self-hosting.

This makes Cal.com the first major commercial open source project to name AI explicitly as the reason for going proprietary, according to coverage from ZDNet, The New Stack, and Slashdot.

The AI Vulnerability Scanning Argument

CEO Bailey Pumfleet told ZDNet that AI programs such as “Claude Opus can scour the code to find vulnerabilities,” prompting the licensing change. “Open-source code is basically like handing out the blueprint to a bank vault. And now there are 100x more hackers studying the blueprint.”

Co-founder Peer Richelsen added: “Open source security always relied on people to find and fix any problems. Now AI attackers are flaunting that transparency.”

Cal.com’s threat model is straightforward: AI-assisted code analysis tools (Copilot, Cursor, Claude Code, Gemini) can scan any public repository at scale, identify vulnerability patterns, and generate exploit code at speeds that outpace traditional penetration testing. A public GitHub repository becomes an attack surface with a built-in, LLM-powered vulnerability scanner freely available to any motivated attacker.

The move was not triggered by Anthropic’s Mythos model specifically, though Pumfleet acknowledged its relevance. “We saw this coming anyway. Even without Mythos, it’s incredibly easy to point previous generation models like Claude Opus at an open source codebase” and find holes, he told ZDNet.

What Changes and What Stays Open

The official Cal.com blog post details the split. The commercial edition, previously source-available under the AGPL, is now closed source. Existing enterprise self-hosting customers will receive invites to the private GitHub repository. For everyone else, nothing changes on the product side.

Cal.diy, the new community fork, ships under the MIT License with authentication, data-handling, and commercial systems stripped out. It is explicitly “for hobbyists” and offered “at your own risk,” per the blog post. The MIT License is deliberately permissive, giving the community maximum freedom to fork and modify.

Huzaifa Ahmad, CEO of Hex Security, was quoted in ZDNet supporting Cal.com’s logic: “Open-source applications are 5-10x easier to exploit than closed-source ones. The result, where Cal sits, is a fundamental shift in the software economy.”

The Counterargument

ByteIota raised the strongest objection: AI can also analyze compiled binaries. Closing the source removes the source code layer from the attack surface, but it does not eliminate AI-assisted vulnerability scanning entirely. The question is whether source code access gives AI tools enough additional signal to make the difference material, or whether this is a business decision dressed in a security rationale.

The Slashdot discussion, typically hostile to open source projects going closed, is the real-time indicator of developer community sentiment. If the community accepts Cal.com’s AI security argument, other commercial open source projects will adopt it. If they reject it as pretext, Cal.com risks losing its community advantage without gaining equivalent security benefit.

The Licensing Precedent

Cal.com claims to be the largest Next.js project and has built its developer community on open source since 2022. The decision to go proprietary while preserving a stripped MIT community edition is a new licensing pattern: full commercial product behind closed walls, community fork with non-sensitive components open.

This is a different move from the license-swap trend of recent years, where companies like HashiCorp switched from open source to semi-proprietary licenses like BSL for business reasons. Cal.com’s framing is explicitly about security, not revenue protection. Whether the rest of the commercial open source ecosystem adopts “AI makes public code dangerous” as a licensing rationale, or whether Cal.com’s case remains an outlier, is the question every open-source-based SaaS company is now evaluating.