SAN FRANCISCO – Cal.com, a prominent scheduling platform, announced on April 15, 2026, its decision to transition its commercial codebase from open source to a closed-source model. The company cited escalating security risks driven by advancements in artificial intelligence as the primary reason for this strategic shift. This move marks a significant departure for Cal.com, which previously positioned itself as an open-source alternative to services like Calendly.
The company's CEO, Bailey Pumfleet, emphasized the heightened vulnerability of open-source code in the current technological landscape. "Open source code is basically like handing out the blueprint to a bank vault," Pumfleet stated, adding, "And now there are 100x more hackers studying the blueprint." Co-founder Peer Richelsen further noted that while open-source security traditionally relied on community efforts to identify and fix issues, "AI attackers are flaunting that transparency."
Security experts have echoed these concerns, with Huzaifa Ahmad, CEO of Hex Security, claiming that open-source applications are now "5–10x easier to exploit than closed-source ones." Cal.com pointed to the capabilities of advanced AI models, such as Anthropic's Mythos Preview, which reportedly identified and exploited vulnerabilities in highly secure systems like OpenBSD. This demonstrates how AI tools can rapidly scan public code for weaknesses, making open-source projects high-value targets.
In conjunction with this change, Cal.com launched "Cal.diy," a fully open-source version of its platform under the MIT license, intended for hobbyists and developers. This community edition is stripped of enterprise features and is not guaranteed for production security, allowing the commercial product to handle sensitive user data in a more controlled environment. Pumfleet articulated the company's commitment: "We are committed to protecting sensitive data. We want to be a scheduling company, not a cybersecurity company."
The decision has sparked debate within the open-source community, with some questioning the security rationale, especially given the continued availability of Cal.diy. Sean Lynch, commenting on the broader implications, remarked, "> "Pinning blame on the security risk of being open source as the reason to go closed source is certainly a choice." This highlights the ongoing discussion about the balance between transparency, community collaboration, and proprietary control in the face of evolving cyber threats.
