Open-source scheduling platform Cal.com announced on Tuesday (April 15) that it is moving its commercial codebase to closed source, citing AI-driven security risks. The company simultaneously launched Cal.diy, a stripped-down open-source version under the MIT license for hobbyists and developers.
“Open source code is basically like handing out the blueprint to a bank vault,” said CEO Bailey Pumfleet in a press release. “And now there are 100× more hackers studying the blueprint.”
The decision marks a dramatic shift for Cal.com, which built its identity around being an open-source alternative to Calendly over the past five years.
Cal.com says generative AI has fundamentally changed the security landscape. While AI coding assistants help developers write software faster, those same tools make it significantly easier for attackers to scan publicly available code for vulnerabilities.
“Open source security always relied on people to find and fix any problems,” said co-founder Peer Richelsen. “Now AI attackers are flaunting that transparency.”
The company pointed to Anthropic’s Mythos Preview, announced in early April, as evidence of the threat. That model identified a 27-year-old vulnerability in OpenBSD — one of the most security-focused open-source projects — and generated working exploits in hours. Mythos also caught a 16-year-old FFmpeg vulnerability that automated testing tools had scanned five million times without flagging.
According to Huzaifa Ahmad, CEO of security firm Hex Security, open-source applications are now 5–10× easier to exploit than closed-source alternatives.
What’s Changing
Under the new structure:
Cal.com (Commercial): The production codebase has moved from a public repository to a private one. Enterprise and paid users will receive invites to the private GitHub repository. The company says nothing changes for existing customers — this is primarily a license change.
Cal.diy (Open Source): A new community edition released under the MIT license. It’s fully open source and self-hostable, but Cal.com explicitly positions it for “personal, non-production use” and does not guarantee its security. The version is stripped of enterprise and commercial features.
“We are committed to protecting sensitive data,” Pumfleet said. “We want to be a scheduling company, not a cybersecurity company.”
Background
Cal.com was founded in 2022 by Pumfleet and Richelsen as an open-source scheduling platform. It offers Calendly-like appointment management tools — allowing users to schedule meetings, interviews, or consultations through shareable links — while giving developers the ability to self-host and customize the system.
The company describes itself as the maintainer of the world’s largest Next.js open-source project and has seen its security demands escalate over the past four months.
Industry Reaction
The announcement has sparked debate in the open-source community. Critics on Hacker News questioned whether the security rationale holds up, noting that Cal.diy’s existence seems to contradict the argument — if the code is too dangerous for enterprise use, why is it safe for hobbyists?
Others suggested the move may be as much about preventing competitors from forking the codebase as about security.
Cal.com maintains it still believes in open source and would consider reopening the codebase if the security landscape changes. “This decision is entirely around the vulnerability that open source introduces,” Pumfleet said. “We still firmly love open source.”
Click Here For The Original Source.
