Cal.com pulls core repository behind closed doors, citing AI-driven security fears

April 15, 2026
aisecurityhardwareopen-source
A close-up of a chain link fence with padlocks securing it, symbolizing high security outdoors.
Photo by David McElwee on Pexels

Move to closed source

Cal.com is locking down the heart of its scheduling platform. It has been reported that the company is moving its core codebase off the GNU Affero GPL and into a proprietary, closed repository — a dramatic reversal for a startup that launched in 2022 promising open source as its north star. The move, executives say, is a defensive response to what they describe as a new breed of AI-assisted attackers that can comb public code for vulnerabilities at scale.

Why now?

“It’s like handing out the blueprint to a bank vault,” CEO Bailey Pumfleet told ZDNet, and it has been reported that Cal’s leadership believes tools such as Claude Opus make those blueprints far more dangerous than before. Peer Richelsen, a co‑founder, warned that open source’s old safety net — people finding and fixing bugs — is being outpaced by automated scanning. It has been reported that Anthropic’s Mythos model also recently demonstrated the ability to surface serious issues in highly secure software, a sign, critics say, that transparency now carries new risks.

Compromise and consequences

Cal isn’t abandoning openness entirely. It has been reported that the company released Cal.diy, a fully open-source variant aimed at hobbyists and experimentation, while reserving the commercial product for a closed-code future. CEO Pumfleet allegedly said they’d reopen if the threat landscape changes, but for now they prefer to protect customer booking data rather than “become a cybersecurity company.” The decision raises a thorny question: will other projects, especially smaller teams without security bandwidth, follow suit and recast the economics of open source?

The broader picture

This is more than one startup changing a license. It’s a cultural tug-of-war between open-source ideals and pragmatic data protection — and AI is the new muscle in the middle. Who wins? Hard to say. But expect more heated debates, hurried audits, and perhaps a spate of forks and gated repositories as companies weigh openness against exposure.

Sources: zdnet.com