Full Report
Cal.com considers AGPL a license to drill, but not everyone feels that way
Analysis Summary
# Industry News: Cal.com Abandons AGPL, Claiming AI Makes Open Source Insecure
## Summary
Cal.com, a leading scheduling infrastructure provider, has transitioned its core codebase from the open-source AGPL-3.0 license to a proprietary commercial license. CEO Bailey Pumfleet argues that "Open Source is dead" because AI-driven tools now allow attackers to exploit transparent codebases with unprecedented speed and scale.
## Key Details
- **Date:** April 2026
- **Companies Involved:** Cal.com, OpenAI (referenced for GPT 5.4-Cyber), Mozilla (competitor)
- **Category:** Licensing Shift / Strategic Pivot
## The Story
Cal.com has officially closed its commercial codebase, ending years of adherence to the GNU Affero General Public License (AGPL). The company justifies this retreat by citing the rise of AI-powered cyberattacks. According to leadership, open-source code now acts as a "blueprint to a bank vault" for hackers who use Large Language Models (LLMs) to identify vulnerabilities 100x faster than humans.
The move has sparked a fierce debate within the developer community. While some industry leaders acknowledge that the pace of software creation is outstripping security capabilities, many critics view Cal.com’s move as a return to "security through obscurity." Skeptics argue that the shift is less about security and more about protecting commercial interests once a product reaches market maturity.
## Business Impact
### For the Companies Involved
- **Cal.com:** Risks alienating the community of contributors who helped build the platform. However, they gain tighter control over their IP and potentially reduce the risk of "copycat" commercial services.
### For Competitors
- **Mozilla Thunderbird:** Has already moved to capitalize on the fallout, positioning "Thunderbird Appointment" as a permanent open-source alternative to capture disgruntled Cal.com users.
- **Proprietary Competitors:** May feel vindicated in their closed-source models but face increased pressure to prove their security claims.
### For Customers
- **Enterprise Clients:** May face higher licensing costs and reduced visibility into the code they integrate into their tech stacks.
- **Developers:** Lose the ability to self-host or modify the core engine under the previous permissive terms.
### For the Market
- **Licensing Trends:** This sets a controversial precedent. If other firms follow, it could signal a broader "enclosure" of the software commons driven by AI fears.
## Technical Implications
The central technical debate revolves around **"Tokens vs. Security."** Strategists suggest that hardening a system now requires out-spending attackers in "token consumption"—using AI to find and patch exploits faster than hackers can find them. Furthermore, the emergence of tools like **GPT 5.4-Cyber**, which claims to reverse-engineer binaries back to source code, suggests that closing code may offer no real protection against advanced AI.
## Strategic Analysis
- **Market Positioning:** Cal.com is moving from a "Community-Led Growth" model to a traditional "SaaS/Enterprise" model.
- **Competitive Advantage:** They are betting that a proprietary, controlled environment will be perceived as "safer" by risk-averse enterprise buyers.
- **Challenges:** They face a significant PR crisis and the loss of the "many eyeballs" benefit of open-source security auditing.
## Industry Reactions
- **The "Obscurity" Critique:** Many experts, including Simon Willison (Django co-creator), argue that open source is actually *more* valuable in an AI world because it allows companies to pool their "auditing budgets."
- **Cynicism:** Commentators on Reddit and Slashdot suggest Cal.com is using AI as a "fig leaf" to hide a purely commercial decision to stop giving away their product.
## Future Outlook
- **The AI Arms Race:** Watch for the development of "Defensive AI" tools designed specifically to patch code in real-time.
- **Binary Transparency:** If AI can effectively reverse-engineer closed code (as claimed by OpenAI), the distinction between open and closed source for security purposes may disappear entirely.
## For Security Professionals
The Cal.com pivot highlights a critical shift: the **"Time-to-Exploit"** is shrinking. Regardless of whether code is open or closed, attackers are using LLMs to scan for authentication oversights and access control flaws. Security practitioners should focus on:
1. **AI-Aided Code Review:** Incorporating LLM-based scanning into the CI/CD pipeline.
2. **Post-Obscurity Strategy:** Assuming that any binary can be reverse-engineered and focusing on robust architecture (Zero Trust) rather than hidden source code.