Cal.com, once a champion of open‑source philosophy, has shifted to closed‑source mode after a security audit revealed new risks. The change follows a wave of AI‑driven tools that can scan public codebases for flaws, turning every line into a potential attack vector and prompt 24 developers to rethink release strategies.

AI security startups have surfaced new exploits at a breakneck pace. In one recent case, an advanced model uncovered a 27‑year‑old vulnerability in the BSD kernel, producing working exploits within hours. Such speed erodes the safety net that long‑standing projects like Cal.com once relied on for safeguarding sensitive booking data and maintaining uptime for customers daily.

To preserve a degree of openness, Cal.com will release a stripped‑down version under the MIT license, dubbed Cal.diy. Though the production code has diverged with major rewrites in authentication and data handling, the community can still experiment with the legacy core, ensuring developers retain a learning platform without exposing live user information to support innovation.

Cal.com’s pivot underscores an emerging tension between transparency and protection. As AI accelerates vulnerability discovery, companies must balance customer safety with the ideals of open collaboration. By safeguarding its production code while offering an open alternative, Cal.com signals that security can coexist with community contribution, albeit under stricter governance for growth and user confidence today.