Cal.com Is Going Closed Source Because of AI
Source: Slashdot
Background
Cal’s flagship scheduling software is being moved from an open‑source license to a proprietary one. The company argues that AI‑driven coding tools now make it much easier for attackers to scan public codebases for vulnerabilities.
“Open source security always relied on people to find and fix any problems,” said Peer Richelsen, co‑founder of Cal. “Now AI attackers are flaunting that transparency.”
“Open‑source code is basically like handing out the blueprint to a bank vault. And now there are 100× more hackers studying the blueprint,” added CEO Bailey Pumfleet.
When Cal was founded in 2022, Pumfleet wrote that the project would be open source because “limitations of existing scheduling products could only be solved by open source.” The platform grew to become one of the largest Next.js projects.
Reason for the License Change
According to ZDNet, the company is shifting from the GNU Affero General Public License (AGPL) to a proprietary license to protect the security of its commercial product. Pumfleet cites AI programs such as Claude Opus that can “scour the code to find vulnerabilities” as a key factor.
Industry Perspectives
Cal quoted Huzaifa Ahmad, CEO of Hex Security:
“Open‑source applications are 5–10× easier to exploit than closed‑source ones. The result, where Cal sits, is a fundamental shift in the software economy. Companies with open code will be forced to risk customer data or close public access to their code.”
Pumfleet emphasized the company’s focus:
“We are committed to protecting sensitive data. We want to be a scheduling company, not a cybersecurity company.”
“Cal.com handles sensitive booking data for our users. We won’t risk that for our love of open source.”
Open‑Source Alternative: Cal.diy
While the commercial version will no longer be open source, Cal has released Cal.diy, a fully open‑source edition aimed at hobbyists and developers who want to experiment without handling high‑stakes data.
Pumfleet concluded:
“This decision is entirely around the vulnerability that open source introduces. We still firmly love open source, and if the situation were to change, we’d open source again. It’s just that right now, we can’t risk the customer data.”
Read more of this story at Slashdot.