AI is fundamentally transforming open source code from a collaborative asset into a high-resolution blueprint for cyberattacks. This shift in the security landscape has forced Cal.com, a prominent scheduling infrastructure tool, to abandon its five-year commitment to a fully open-source model. The decision marks a pivotal moment in the industry, signaling that the traditional belief that more eyes on a codebase lead to better security is being dismantled by the sheer speed of large language models.
The Strategic Pivot to Closed Source
For half a decade, Cal.com operated on the principle that transparency drives innovation. By allowing any developer in the world to inspect, modify, and contribute to its codebase, the company accelerated its growth and refined its product through global collaboration. This open-source philosophy is a cornerstone of modern software development, predicated on the idea that community-driven auditing catches bugs faster than any internal team ever could. However, the company recently announced a transition to a closed-source model, effectively locking the doors to its primary recipe.
This transition does not mean a total abandonment of the community, but it represents a drastic change in boundaries. To mitigate the backlash from the open-source community and provide a path for individual users, the company introduced Cal.diy. This version allows individuals to self-host the software under the MIT license, providing a limited set of features for personal use. Yet, the core enterprise engine and the most sensitive parts of the infrastructure are now hidden from public view. The company views this move as a necessary sacrifice to protect customer data in an era where the cost of discovering a vulnerability has plummeted to near zero.
AI and the Death of Security Through Obscurity
Historically, the barrier to entry for high-level hacking was steep. A malicious actor needed deep domain expertise, months of manual code review, and a significant amount of patience to find a critical flaw in a complex system. It was a game of cat and mouse where the defenders had a reasonable window of time to patch holes before they were exploited. AI has completely erased that window. Modern AI models can ingest millions of lines of code in seconds, identifying patterns and anomalies that would take a human expert years to uncover.
The danger is not theoretical. A stark example of this new reality occurred with the BSD kernel, a foundational piece of software that has existed for nearly three decades. For 27 years, the BSD kernel contained a vulnerability that had remained undetected by thousands of human developers and security researchers. When an AI was tasked with analyzing the code, it identified the flaw and developed a working exploit in a matter of hours. This incident proves that code which was effectively safe for a generation is now vulnerable in an afternoon.
When a company like Cal.com keeps its code open, it is essentially providing a free, searchable map of its entire security architecture to any AI agent. If an AI can find a 27-year-old bug in a kernel in hours, it can find a fresh vulnerability in a scheduling app in minutes. The risk has shifted from the possibility of a human finding a bug to the certainty of an AI finding every single one.
A New Paradigm for Software Engineering
We are entering an era where the act of writing code must be inseparable from the act of defending it against AI. The traditional development cycle—write, test, deploy, and patch—is too slow for the current threat environment. AI security startups are already racing to build tools that can predict attack vectors before a single line of code is even committed to a repository. The focus is shifting from functional excellence to adversarial resilience.
In the coming months, the standard development pipeline will likely integrate mandatory AI-driven auditing. Developers will no longer simply run a suite of unit tests; they will run their code through an adversarial AI that attempts to break the system thousands of times per second. If the AI finds a path to exploitation, the code will be rejected automatically. This creates a paradoxical loop where AI is both the primary weapon of the attacker and the only viable shield for the defender.
For companies, this means the value proposition of open source is being re-evaluated. While the community benefits of open source remain, the security costs are becoming unsustainable for platforms handling sensitive user data. The industry is moving toward a hybrid model where non-critical components remain open for collaboration, but the core security logic is treated as a state secret.
Cal.com's decision is a canary in the coal mine for the tech industry. It suggests that the era of radical transparency in software is colliding with the era of autonomous AI exploitation. As AI continues to lower the cost of cyberattacks, the industry will likely see more companies retreating from open source to protect their users. Security is no longer about building a stronger wall; it is about making sure the enemy does not have the blueprints to the wall in the first place.
