Full Report
Cal.com considers AGPL a license to drill, but not everyone feels that way Opinion Cal.com has closed its commercial codebase, abandoning years of AGPL-3.0 licensing in a move that has alarmed the developer community that helped build it and sent ripples through the broader open source world.…
Analysis Summary
# Industry News: Cal.com Abandons Open Source Citing AI Security Risks
## Summary
Cal.com, a leading scheduling infrastructure provider, has transitioned its commercial codebase from the AGPL-3.0 open-source license to a proprietary model. CEO Bailey Pumfleet justified the move by claiming that AI-driven exploitation makes open-source code "a blueprint to a bank vault," sparking a heated debate over the future of "security through obscurity" in the age of LLMs.
## Key Details
- **Date:** April 2026
- **Companies Involved:** Cal.com, OpenAI (referenced), Mozilla (Thunderbird)
- **Category:** Relicensing / Policy Shift
## The Story
Cal.com’s leadership has declared "Open Source is dead," arguing that the transparency of open-source software (OSS) has become a liability. The company posits that AI allows attackers to find vulnerabilities at a volume and speed that humans cannot match, effectively weaponizing the source code against the maintainers.
Critics, however, argue that Cal.com is using AI as a "fig leaf" to justify a pivot to a closed-source commercial model after benefiting from years of community contributions. Industry veterans point out that modern AI tools, such as the rumored "GPT 5.4-Cyber," are becoming adept at reverse-engineering binaries back to source code, which would render the protection offered by proprietary licenses moot.
## Business Impact
### For the Companies Involved
- **Cal.com:** Risks alienating the developer community that built its ecosystem. While it gains tighter control over its IP, it loses the "community-led growth" engine that powered its initial rise.
### For Competitors
- **Mozilla (Thunderbird Appointment):** Seizing the opportunity to poach disgruntled users and contributors by reaffirming a permanent commitment to open source.
- **Other OSS Schedulers:** Likely to see an influx of community support as developers seek "true" open-source alternatives.
### For Customers
- **Enterprise Clients:** May face higher costs and vendor lock-in but might perceive the move as a commitment to "enterprise-grade" security.
- **Developers:** Lose the ability to self-host or modify the core commercial engine without restrictive licenses.
### For the Market
- **The "Token War":** Shifts the cybersecurity paradigm to an economic one—defenders must now spend more "tokens" on AI-driven auditing than attackers spend on AI-driven exploitation.
## Technical Implications
This move challenges **Linus’s Law** ("given enough eyeballs, all bugs are shallow"). The new reality is **"Given enough tokens, all bugs are shallow."** If automated scanners can identify zero-days in seconds, the technical advantage lies with whoever has the most compute power, regardless of whether the source is public or private.
## Strategic Analysis
- **Market Positioning:** Cal.com is attempting to pivot from a "community tool" to an "enterprise security-first" platform.
- **Competitive Advantage:** By closing the code, they prevent "clones" from undercutting their commercial SaaS offering.
- **Challenges:** The "Security by Obscurity" fallacy. If AI can reverse-engineer binaries, Cal.com loses the security benefits of being closed-source while keeping the reputational damage of abandoning OSS.
## Industry Reactions
- **Skeptical:** Most analysts view this as a commercial decision masked as a security necessity.
- **Competitive:** Competitors like Ryan Sipes (Mozilla) are actively leveraging this "betrayal" of OSS values for market gain.
- **Cynical:** Community members on Reddit and Slashdot point to fundamental architectural flaws in Cal.com’s recent patches as the real issue, rather than "sophisticated AI hackers."
## Future Outlook
- **Binary Reversion:** If OpenAI or others release tools that reliably reverse-engineer compiled code, the distinction between "Open Source" and "Proprietary" security will vanish.
- **The Audit Race:** Expect a surge in AI-native security startups focusing on automated "continuous hardening" to stay ahead of AI-based exploit kits.
## For Security Professionals
Practitioners should be wary of the "security through obscurity" trap. The core takeaway is that **attack surface transparency is now a constant**, whether you publish your code or not. Security teams should focus on AI-augmented defensive auditing (DAST/SAST) rather than relying on license types to protect their codebase. Cal.com’s move suggests a future where high-velocity patching is the only viable defense against AI-driven exploitation.