- Cal.com moves its core scheduling codebase from public to private after five years of open-source development.
- The company cites AI-powered vulnerability scanning as the primary security threat forcing the transition.
- A new MIT-licensed project called Cal.diy replaces the public repo for hobbyists and self-hosters.
- The announcement follows reports that AI uncovered a 27-year-old BSD kernel vulnerability and generated working exploits in hours.
Cal.com Closes the Code That Built Its Community
Cal.com, the open-source scheduling platform used by thousands of developers and enterprises, is going closed source. Co-founder Bailey Pumfleet announced the decision on April 14, calling it “a response to what risks AI is making possible.”
Open source is dead.
— Bailey Pumfleet (@pumfleet) April 14, 2026
That’s not a statement we ever thought we’d make.
@calcom was built on open source. It shaped our product, our community, and our growth. But the world has changed faster than our principles could keep up.
The core argument: AI tools can now scan open codebases systematically, map attack surfaces, and generate exploits at near-zero cost. “Being open source is increasingly like giving attackers the blueprints to the vault,” the company wrote in its official blog post. Huzaifa Ahmad, CEO of Hex Security, contributed to the announcement, claiming open-source applications are “5 to 10 times easier to exploit” than closed ones.
The timing is not coincidental. Days before the announcement, reports surfaced that an AI system had uncovered a 27-year-old vulnerability in the BSD kernel — one of the most audited open-source projects in existence — and produced working exploits within hours. Peer Richelsen, Cal.com co-founder and chairman, told The New Stack: “We made this decision long before Claude Mythos and the OpenBSD vulnerability was announced, but the timing is frightening.”
The Community Is Not Buying It
The reaction on Hacker News and X has been sharp. Critics argue the AI security framing is a convenient cover for a business model shift. Closed-source code is not inherently more secure — it just hides the vulnerabilities from everyone, including the people who would fix them for free. Many in the open-source community point out that “security through obscurity” has been debunked for decades.
Cal.com is not abandoning the community entirely. The company released Cal.diy, an MIT-licensed fork for self-hosting and experimentation. But the production codebase — including major rewrites of authentication and data handling — stays behind closed doors. “Cal.com handles sensitive booking data for our users. We won’t risk that for our love of open source,” the company stated.
Whether this is a genuine security response or a strategic licensing play, Cal.com’s move signals a broader tension in the industry. If AI can weaponize transparency, the open-source model that built modern software faces an existential question — and Cal.com will not be the last company forced to answer it.
