This is not an easy post to write.
When we started Cal.com, we believed deeply in open source. It’s a core principle we built this company around, and something we’ve been incredibly proud of.
Today, we are making the very difficult decision to move to closed source, and there’s one simple reason: security.
AI is changing everything. It’s transforming how we write content, build software, and operate day to day. But what’s talked about far less is how dramatically AI is changing the world of security.
In the past, exploiting an application required a highly skilled hacker with years of experience and a significant investment of time to find and exploit vulnerabilities. The reality is that humans don’t have the time, attention, or patience to find everything.
Today, AI can be pointed at an open source codebase and systematically scan it for vulnerabilities.
Being open source is increasingly like giving attackers the blueprints to the vault. When the structure is fully visible, it becomes much easier to identify weaknesses and exploit them.
In recent months, we’ve seen a wave of AI security startups productizing this capability. Each platform surfaces different vulnerabilities, making it difficult to establish a single, reliable source of truth for what is actually secure.
This uncertainty forced us to make a choice: remain open source and accept increasing risk to customer data, or move to closed source to reduce that risk. It’s not a perfect solution, but we have to do everything we can to protect our users.
At the same time, we still care deeply about open source. That’s why we are releasing a version of our codebase to the community under the MIT license as Cal.diy. While our production codebase has significantly diverged, including major rewrites of core systems like authentication and data handling, we want to ensure there is still a truly open version available for developers, hobbyists, and anyone who wants to explore and experiment.
The risk landscape is accelerating quickly. Advanced AI models are now capable of identifying and exploiting vulnerabilities at unprecedented speed. In one recent example, AI uncovered a 27-year-old vulnerability in the BSD kernel, one of the most widely used and security-focused open source projects, and generated working exploits in a matter of hours.
Continuing as open source would put our application, our customers, and the sensitive data we handle at significant risk. We are taking every step we can to reduce that risk and protect our users, and for now, that means moving to closed source despite how difficult that decision is.
We hope that one day we can return to open source as the security landscape evolves. But for now, we have to put our customers first.