Cal.com to close core codebase; Strix fires back — “Open source isn’t dead”

April 15, 2026
aisecuritybusinesslaw
A close-up image showcasing a laptop keyboard with ambient lighting highlighting the keys.
Photo by Dmitry Kharitonov on Pexels

The announcement

Cal.com announced it is moving its core codebase away from open source, saying AI-driven tools have made vulnerability discovery cheap and automated and that greater transparency now equals greater exposure. It has been reported that CEO Bailey Pumfleet framed the shift as a protective move for users, arguing that attackers can now do at-scale scanning and exploitation at “near zero‑cost.” The decision has landed like a splash in a small pond — quick, loud, and full of ripples across the developer community.

The pushback

Not long after, Strix — an open‑source maker of autonomous AI security agents that says it processes billions of LLM tokens daily and recently crossed 24k stars — pushed back in a blog post. It has been reported that Strix worked with Cal.com to responsibly disclose bugs they found, and describes the Cal.com move as well‑intentioned but ultimately the wrong lesson. Strix argues closing the repo removes helpful “many eyes” while leaving the live attack surface exposed to black‑box AI testing that doesn’t need source access to find flaws.

The stakes and argument

The core of the debate is simple: do you hide the lamp or hire better night watchmen? Strix warns that security through obscurity is a bad bet against tireless automated attackers and urges firms to “fight fire with fire” — fold AI defenders into CI/CD so exploits are caught continuously. It has been reported that Cal.com’s pivot stems from a sincere desire to protect users; the emotional punch here is that two teams on the same side of the street disagree about the right tactics. Who’s got it right? Time — and what attackers actually do next — will tell.

Why it matters

This isn’t just a squabble between two startups. It cuts to a broader industry dilemma: as AI multiplies attack throughput, should the response be secrecy or smarter automation? Strix is doubling down on openness, saying the tools to defend must be as accessible as the tools used to attack. Cal.com’s move will be watched closely — and debated loudly — by open‑source maintainers, security teams, and anyone who ships code into production.

Sources: strix.ai, Hacker News