Cal.com, the open source Calendly alternative, announced it's going closed source after five years. The reason? AI security threats. CEO Bailey Pumfleet argues that AI's growing ability to find vulnerabilities can now systematically scan public codebases for vulnerabilities, making open source code like handing attackers the blueprints to the vault. The company points to AI uncovering a 27-year-old bug in the BSD kernel within hours as evidence. Instead of full open source, they're releasing Cal.diy, a stripped-down MIT-licensed version for hobbyists, while their production codebase goes private.
The security community isn't buying it. Drew Breunig published a counter-argument suggesting open source might actually be safer in the AI era. His logic: if defenders can share auditing budgets across organizations, widely-used open libraries could end up more secure than isolated closed-source code. Hacker News commenters pointed out that if AI-assisted security audits can scan for vulnerabilities, defenders could integrate the same scanning into their build pipelines instead of hiding the code entirely.
Ryan Leesipes, head of the Thunderbird project, moved fast. He confirmed that Thunderbird Appointment, an open source scheduling tool, will stay open source and invited Cal.com users to migrate. That's a clear market opening for competitors willing to bet on transparency.
The practical wrinkle: Cal.com's old MIT-licensed code is still out there and anyone can fork it. But Cal.com says their production code has undergone major rewrites to authentication and data handling, so any fork would start from a technically outdated foundation. If the community wants a real open alternative, they'll need to close that gap quickly. Doable, but it's real work.