Cal.com Went Closed Source and Nobody Bought the Excuse
Cal.com Just Went Closed Source and Nobody Bought the Reason
A scheduling app with 41,000 GitHub stars and 947 contributors just pulled the rug. On April 14, Cal.com published a blog post titled "Cal.com is going closed source. Here's why." The reason? AI. Not low revenue. Not investor pressure. AI.
"Being open source is increasingly like giving attackers the blueprints to the vault," they wrote. They pointed to AI security tools like Anthropic's Mythos that can systematically scan codebases for vulnerabilities. They mentioned a 27-year-old BSD kernel flaw found by AI in hours.
The internet's response was fast and brutal. The Hacker News thread hit 263 points and 190 comments within hours. Reddit's r/selfhosted called it "another one bites the dust." The top comment on HN, by Django creator Simon Willison, linked a piece that argued the exact opposite: open source is more valuable now because the auditing cost gets shared.
"If Mythos continues to find exploits so long as you keep throwing money at it, security is reduced to a brutally simple equation: to harden a system you need to spend more tokens discovering exploits than attackers will spend exploiting them."
That's Drew Breunig. His argument makes sense. More eyes, shared audit budgets, faster patching. The thing Cal.com is afraid of is also the thing that could save them.
The Real Timeline
Here's what actually happened in the months before this announcement.
January 2026. Gecko Security published findings of critical broken access control vulnerabilities in Cal.com Cloud. Complete account takeover. Millions of leaked bookings. This was found by, you guessed it, an AI security engineer.
March 2026. The Linux Foundation announced $12.5 million in grants from Anthropic, AWS, Google, Microsoft, and OpenAI to strengthen open source security.
April 13, 2026. Huzaifa Ahmad, CEO of Hex Security, published a guest post on Cal.com's own blog about AI finding vulnerabilities faster than teams can fix them. A day later, Cal.com announced it was going closed source.
April 14, 2026. The blog post drops. Production repo goes private. Cal.diy launches as the open source alternative with MIT license. Cal.diy has roughly 8,000 stars. The original repo had 41,200.
The Hex Security connection raised eyebrows. A CEO writing a guest post on your blog one day before you announce a major pivot based on his product's thesis? People noticed. One HN commenter put it plainly: "security through obscurity is not a real thing."
Another commenter on HN had a different angle entirely. "i have a feeling the real reason is them trying to avoid someone using AI to copyright-wash their product, they're just using security as the excuse." The vibe-coding fear is real. If someone can point Claude at your open source repo and rebuild the same product in a weekend, what does your code even protect?
But here's the thing. A scheduling app is not a moat. It never was. Someone on HN pointed out you could "vibe code" a Cal.com clone in a few evenings with a Chrome MCP server pointed at their website. The features aren't hard to copy. The integrations aren't proprietary. The only thing keeping users around is the hassle of migrating their booking links and telling every client to update their calendar.
That's not a defensible position. Closing the source doesn't change that.
What Cal.diy Actually Means
Cal.com is spinning Cal.diy as the community-driven open version. Self-hostable. MIT licensed. Available for hobbyists and developers.
But look at what's missing. The production codebase has "major rewrites of core systems like authentication and data handling," according to their own post. Those rewrites are closed. The enterprise features are closed. The security fixes they applied after the Gecko findings? Those are closed too.
As one Reddit user noted: "cal.diy looks to be almost exactly the same as their current free tier. Most of this announcement appears to be fearmongering people into paying."
The pricing doesn't help their case.
| Plan | Cost |
| Free | $0 |
| Standard | $12/user/month |
| Enterprise | Custom |
Twelve bucks per user per month for a scheduling app. For a team of six, that's $864 a year. To book meetings. People were not kind about this.
Why This Feels Different
The open source "bait and switch" isn't new. Companies build on community goodwill, collect stars, raise VC money, and then lock the doors. Elasticsearch did it. Redis did it. Terraform did it.
But Cal.com's justification is new. And that's what's rubbing people the wrong way.
Previous companies at least had the decency to say "we need to make money." Cal.com wrapped it in a noble cause. "We have to protect our users." That framing implies open source is now irresponsible. Dangerous, even.
The problem with that argument is simple. The Gecko vulnerability that exposed millions of bookings? Cal.com was open source when that happened. The code was visible. Nobody in the community found it first. An AI security firm did. And Cal.com is still closed source. That hasn't changed the reality that someone will poke at your code.
i keep thinking about the 947 contributors. Some of them wrote code that's now sitting behind a private repo. Their commits, their time, their PRs. Whatever license was in place when they contributed, the optics are rough.
One commenter on HN said it well: "Classic open source bait and switch." Another pointed out that Cal.com's moat was never the code. "The moat of Cal.com is not the code, it's the users who don't want to migrate."
The Honest Take
Cal.com was always a VC-funded company with an enterprise tier. The open source part was marketing. Useful marketing, sure. It got them 41,000 stars and a community that built features for free. But the core business model always depended on selling something closed.
The AI security angle is convenient. It's timely. It's hard to argue against "we're protecting our users." But it's not the full story.
If AI makes open source dangerous, why is the Linux Foundation getting $12.5 million from the biggest AI companies to strengthen open source security? Why are cryptographers, who face the most sophisticated AI-assisted attacks, still publishing their work openly?
Because the math still works. More auditors catch more bugs. Open source scales the auditor pool. Closed source concentrates risk on one internal team.
Cal.com's real problem isn't AI. It's that they couldn't convert enough free users to paid ones. The self-hosted crowd was never going to pay. The enterprise crowd was already paying for the enterprise tier. And now, by closing the source, they've alienated the only group that was doing free marketing for them.
What Happens Next
Thunderbird's head of project publicly announced their scheduling tool will "always be open source." The repo is live. People are already migrating. The r/selfhosted thread is full of people asking for alternatives.
Cal.diy will probably survive as a community fork. But it'll drift. Without Cal.com's engineering resources, it'll fall behind. And the people who self-host it will deal with the same bugs that Reddit users have been complaining about for years.
The broader question is bigger than Cal.com. If the AI security narrative catches on, more companies will use it. "We're going closed source to protect you." It sounds responsible. It's also incredibly convenient for the bottom line.
i'm not saying Cal.com's security concerns aren't real. They are. The Gecko findings prove that. But the solution isn't hiding the code. The solution is fixing the code. And you don't need to be closed source to do that.
You just need to care enough to do it in the open.