Cal.com going closed-source as AI agents overwhelm open-source security and review processes

Cal.com closes its source code as AI rewrites the open-source security calculus

Cal.com, a scheduling software platform that has operated as an open-source project for five years, is going closed-source. Bailey Pumfleet, the company's co-founder and CEO, frames the decision as a security call, not a commercial one.

The core concern is speed. AI can now find and exploit code vulnerabilities at a pace that open-source projects, with public repositories and small review teams, simply weren't built to withstand. Pumfleet points to Anthropic's recent model capabilities as an example of what's now possible, arguing that the broader industry hasn't fully reckoned with what that means for application security — not just for open-source projects, but across software generally.

“AI is now able to break code at completely unimaginable speeds. It's the one thing that nobody is really talking about. We've seen little drops about Anthropic's Methos model and nobody has really taken the time to understand the ramifications which things like that can have on not just open source but broader application security. For us, there's a lot of pros really and we also just genuinely care about open source.”

AI-generated pull request volume is a separate but related pressure. Pumfleet describes a wave of low-quality, AI-generated contributions flooding GitHub, some from developers trying to claim open-source bounties, others from people using GitHub activity to manufacture hiring credentials. Cal.com's own team hasn't changed its policies because of spam PRs, but Pumfleet says smaller projects are struggling with the review burden alone.

The business model doesn't change. Cal.com sells the software commercially and always has. The open-source codebase was a trust signal — letting enterprise buyers inspect the code and verify Cal.com wasn't mishandling calendar data — rather than the revenue engine itself. Pumfleet is explicit that closing the source won't make the company more profitable; it's an attempt to do right by customers who depend on the platform's security.

On the vibe-coding threat, Pumfleet is relaxed. A basic scheduler can be built in a weekend, he says, but scheduling at enterprise scale is fragile and deeply nuanced in ways that AI-assisted rapid development can't currently handle. His analogy holds: no serious founder rebuilds Stripe for payments or Intercom for support. The opportunity cost of maintaining custom tooling almost always outweighs the subscription cost of something proven.

The harder question Pumfleet leaves open is whether closing the source trades one trust problem for another. The transparency argument that made open-source commercially useful to Cal.com — buyers could audit the code — disappears the moment the repository goes private.