Cal.com, the popular open-source scheduling platform known for handling sensitive booking data, has announced it is transitioning its flagship software to a closed-source model due to escalating security risks from AI-powered attackers. Co-founder Peer Richelsen explained that traditional open-source security depended on human reviewers to spot and fix vulnerabilities, but AI tools now enable attackers to rapidly scan public codebases for weaknesses, turning transparency into a liability. CEO Bailey Pumfleet echoed this, stating that open-source code is akin to "handing out the blueprint to a bank vault," especially as threats have intensified over the past four months for the fast-growing Next.js project.
This shift comes as Cal.com prioritizes protecting user data over maintaining full openness, with Pumfleet emphasizing, "We want to be a scheduling company, not a cybersecurity company." The company, one of the largest open-source startups in its category, cited third-party experts like Huzaifa Ahmad, CEO of Hex Security, who noted that open-source applications are 5 to 10 times easier to exploit than closed ones. Discussions on Hacker News highlighted the announcement, sparking debates among developers about the sustainability of open source amid AI-driven attacks, while Slashdot reported the move as a direct response to these evolving threats.
To balance this change, Cal.com is releasing Cal.diy, a fully open-source version tailored for hobbyists and experimentation, separating low-stakes tinkering from the proprietary application that manages high-value bookings. This dual approach allows the company to maintain some community involvement without exposing enterprise users to risks. As reported in a PR Newswire release, the decision reflects a broader trend where commercial open-source projects face pressure to close their code to safeguard customers, potentially reshaping the software economy.
The move affects millions of users who rely on Cal.com for calendar integrations, automated scheduling, and tools like its earlier AI-powered Cal.ai assistant, which streamlines meeting bookings. Businesses and individuals handling confidential appointments now face decisions on whether to migrate or trust the closed-source protections, including Cal.com's existing ISO 27001, SOC 2, HIPAA, GDPR, and CCPA compliance. What happens next remains unclear, but the company vows continued commitment to security audits and vulnerability reporting, signaling a pivot toward enterprise-grade reliability over ideological openness. This development underscores growing tensions in the open-source world, where AI innovation both empowers creators and amplifies dangers.