Cal.com, one of the most popular open source scheduling tools and a direct alternative to Calendly, has made its main repository private. The project, launched in 2021 with open source as a founding principle, cites growing AI model capabilities to automatically scan code for vulnerabilities as the reason.

According to a post by co-founder Bailey Pumfleet, the concern is structural: public code becomes a detailed map for anyone wanting to attack the system. Cal.com points to an example where an AI model identified a flaw in the BSD kernel that had remained hidden for nearly three decades, generating exploitable code within hours. The company concludes that keeping code open means accepting escalating risks to user data, and that it prefers to focus on the product rather than become a security firm.

Cal.diy: What remains for open source

To not leave the community empty-handed, Cal.com released a fork called Cal.diy under the MIT license, more permissive than the previous AGPL 3.0. The project includes the core scheduling engine, booking system, and app store framework. What’s missing are all commercial and enterprise features: organization management, automated workflows, SAML SSO, analytics and reporting, the entire v1 API, and AI-powered call functions. Cal.diy will be maintained by former Cal.com interns, while the internal team focuses on the commercial product.

The production codebase, as the company admits, had already diverged from the public one in months before the announcement: authentication and data management were rewritten on a private repository well before the decision was announced.

The community isn’t convinced

In threads on Hacker News and Slashdot, the prevailing reaction is skepticism. Many point out that the premise is shaky: hiding source code doesn’t prevent AI models from finding vulnerabilities, because these same tools can analyze compiled binaries. Security through obscurity doesn’t work in the AI era. If anything, some argue, open source offers an advantage by allowing anyone to identify and fix problems faster than an internal team can alone.

Others float a more direct theory: Cal.com found in the AI argument convenient cover for a decision already made for commercial reasons, perhaps after discovering during code review more problems than it was willing to fix publicly.

This move isn’t isolated. More and more startups born open source eventually find their way to closed code, citing reasons around security, economic sustainability, or product control. Cal.diy remains available for those who want to self-host, but development of the main product is now behind closed doors.