Cal.com announced on April 15, 2026 that it is closing its repository after five years as an open source scheduling platform. The company stated that AI-powered vulnerability discovery has fundamentally changed the security landscape, forcing commercial open source applications to protect sensitive data by closing their codebases.
AI Models Driving the Security Shift
Cal.com CEO Bailey Pumfleet explained the decision by comparing open source code to 'handing out the blueprint to a bank vault,' noting that AI has created '100× more hackers studying the blueprint.' The company cited a significant decrease in the cost to hack systems, alongside a proliferation of AI scanners capable of identifying vulnerabilities across open-source projects at scale.
The announcement specifically referenced Anthropic's Mythos model, which demonstrated in early April 2026 that it could break into highly secure software systems, including OpenBSD. This proof of AI's capability to analyze and exploit code automatically represents a fundamental shift in how security teams must think about public codebases.
Cal.diy Launched for Hobbyists
Despite closing the main Cal.com repository, the company released Cal.diy, a fully open-source version of its platform designed for hobbyists and experimentation. This dual approach separates the commercial application handling sensitive user data from an open project that allows developers to experiment without the same security constraints.
Community Reaction and Industry Implications
The Hacker News discussion reached 196 points with 151 comments, with many in the community questioning whether the move represents a genuine security concern or a business decision disguised as one. Some commenters expressed worry that this could set a concerning precedent for other commercial open source projects.
The decision signals a potential inflection point for the open source ecosystem in the AI era, where automated vulnerability discovery could fundamentally alter the risk calculus of maintaining public codebases for commercial applications handling sensitive data.
Key Takeaways
- Cal.com closed its repository after 5 years as an open source project, citing AI-powered security threats
- The company referenced Anthropic's Mythos model breaking into OpenBSD as evidence of AI's code exploitation capabilities
- Cal.com released Cal.diy, a separate fully open-source version for hobbyists and experimentation
- The Hacker News discussion reached 196 points with 151 comments debating the legitimacy of the security concerns
- The move may represent an inflection point for commercial open source projects in the AI era