Technology Cal.com Goes Close Source Because "AI Can Easily Exploit Open Source Software"

[lokamoka820]

Content source

https://itsfoss.com/news/cal-com-goes-proprietary/

AI has been a mixed bag for the open source world. Some developers are using it to write faster, catch bugs, and review patches more efficiently. Others are watching the same tools get turned against the codebases they maintain.

Cal.com, a popular open source scheduling platform and one of the more well-known self-hostable alternatives to Calendly, has found itself in the second camp. After five years as an open source project, the company has announced that it is switching to a closed-source model, citing the growing threat of AI-powered vulnerability scanning.

 

[Bot]

This is a notable example of how AI is changing the cost of maintaining public code, especially for smaller teams.

Cal.com’s explanation is plausible in a general sense: public repositories can make automated bug discovery easier, and AI-assisted auditing lowers the barrier for both legitimate researchers and attackers. That said, I cannot verify from this post alone whether AI-driven vulnerability scanning was the primary reason, or just one factor among several business and operational concerns.

What this likely means in practice

• Open source projects are under more pressure to review reports, triage issues, and harden infrastructure faster than before.
• AI tools can help defenders too, but they also increase the volume of low-quality or mass-generated vulnerability reports.
• For companies building commercial products on top of open source, the maintenance burden can become difficult if the security workload grows faster than the team.

Important nuance

Going closed-source does not automatically make software more secure.

• It reduces public visibility into the code.
• It may slow casual vulnerability discovery.
• It also removes independent auditing by the community.
• Security still depends on secure development practices, patch speed, architecture, and internal review quality.

In general, many users assume “closed source = safer” or “open source = safer,” but neither is reliably true on its own. The real difference is usually in how well the software is maintained, reviewed, and updated.

For self-hosting users</B]

If someone is already using Cal.com, the practical concerns are probably these:

• How long the existing open components will remain available and maintained
• Whether self-hosted deployments will continue receiving timely security fixes
• What the licensing change means for future upgrades, forks, and community contributions
• Whether migration to another scheduling platform may eventually be necessary

The safest next step is to rely on Cal.com’s official announcement and licensing documentation rather than secondary summaries or social media takes.

Bottom line

AI-assisted vulnerability discovery is a real pressure on open source maintainers, but it should be viewed as one part of a larger security and business problem, not as proof that open source itself is failing. The key issue is whether a project can still deliver transparent, timely, and trustworthy security maintenance after the licensing change.

Sources

• Cal.com Goes Closed Source: Why AI Security Is Forcing Our Decision | Cal.com - Scheduling Software for Online Bookings
• https://itsfoss.com/news/cal-com-closed-source/

 

[ForgottenSeer 116559]

Cal.com can do whatever they want with their code, but this particular motivation is highly debatable. Security through obscurity is not a winning strategy according to CISA and other credible authorities, especially considering that advanced AIs are highly capable of probing black-box systems and proprietary software.

Companies can close off the text behind their code, but the logic always exposes itself to the user. While AI can still ruthlessly examine your closed systems and software, the code is now cut off from the immune system of the open-source community likewise assisted by AI. The burden of security hardening now rests on the shoulders of Cal.com's internal team.

Linus's law still applies here: "Given enough eyeballs, all bugs are shallow," except this also includes more AI eyeballs on the defensive side of open source.

CISA (Cybersecurity and Infrastructure Security Agency), the US federal authority on this, is a fierce proponent of open source for achieving "Secure by Design."

CISA: An open source agency

"There is a misconception that FOSS that is distributed to the public should not be integrated or modified for use in sensitive systems. On the contrary, FOSS is often preferred for use in sensitive systems, due in part to its increased auditability. In other words, security in FOSS must be designed never to rely on obscurity in how the code works."

"Publicly available source code enables continuous and broad peer review. Whether simply publishing the completed code or opening the development process, the practice of expanding the review and testing process to a wider audience—beyond the development team—ensures increased software reliability and security. Developing in the open also allows for other opinions to help adjust the direction of a product to maximize its usefulness to the community it serves."

According to Bruce Schneier—a world-renowned cryptographer, Harvard fellow, and widely cited authority on the AI cybersecurity arms race:

"But that’s just half of the arms race. Defenders get to use AI, too. These same AI vulnerability-finding technologies are even more valuable for defense. When the defensive side finds an exploitable vulnerability, it can patch the code and deny it to attackers forever."

"Presumably, AIs will clean up the obvious stuff first, which means that any remaining vulnerabilities will be subtle. Finding them will take AI computing resources. In the optimistic scenario, defenders pool resources through information sharing, effectively amortizing the cost of defense. If information sharing doesn’t work for some reason, defense becomes much more expensive, as individual defenders will need to do their own research. But instant software means much more diversity in code: an advantage to the defender."

Discourse is not going closed-source

"But I think the race to close software off misses something. Those same AI systems don’t actually need your source code to find vulnerabilities; they work against compiled binaries and black-box APIs."

"Closed source has always been a weaker defense for SaaS than people want to admit. A web application is not something you ship once and keep hidden. Large parts of it are delivered straight into the user’s browser on every request: JavaScript, API contracts, client-side flows, validation logic, and feature behavior. Attackers can inspect all of that already, and AI makes that inspection dramatically cheaper. Closing the repository may hide some server-side implementation detail, but it does not make the system invisible. What it mostly does is reduce how many defenders can inspect the full picture."

"The world’s most important internet infrastructure runs on open-source software, especially Linux. That code is exposed to constant scrutiny from attackers, defenders, researchers, cloud vendors, and maintainers across the globe. It is attacked relentlessly, but it is also hardened relentlessly. That is the real lesson of open source in security: transparency does not eliminate risk, but it enables a much larger defensive response."