Follow ZDNET: Add us as a preferred source on Google.
ZDNET’s key takeaways
- Cal is reluctantly moving away from open source for security.
- This move isn’t about Mythos, but risks from modern AI tools.
- Given the choice, Cal would return to open source.
When Cal was founded in 2022, Bailey Pumfleet, the CEO and co-founder, wrote, “Cal.com would be an open-source project [because] limitations of existing scheduling products could only be solved by open source.”
Also: How AI has suddenly become much more useful to open-source developers
Since Cal was successful and now claims to be the largest Next.js project, he was on to something. Today, however, Pumfleet tells me that AI programs such as “Claude Opus can scour the code to find vulnerabilities,” so the company is moving the project from the GNU Affero General Public License (AGPL) to a proprietary license to defend the program’s security.
Threat of AI hackers
Many companies have moved from open-source licenses to semi-proprietary licenses for business reasons over the years. It may not have been that smart, but they did it anyway. What Cal is doing is something new and may be disturbing to open-source proponents. Overwhelmed by the threat of AI hackers, it is completely shutting down its commercial open-source program.
Also: The new rules for AI-assisted code in the Linux kernel
“Open source security always relied on people to find and fix any problems,” said Peer Richelsen, co-founder of Cal. “Now AI attackers are flaunting that transparency.” Pumfleet added, “Open-source code is basically like handing out the blueprint to a bank vault. And now there are 100× more hackers studying the blueprint.”
The blueprint exists
Anthropic’s Mythos model proved in early April that it could break into some of the world’s safest software systems. The prime example of that is Mythos finding a serious security hole in OpenBSD, which places a strong emphasis on security.
However, it wasn’t Mythos that caused Cal to make its radical change. Pumfleet explained, “We saw this coming anyway. Even without Mythos, it’s incredibly easy to point previous generation models like Claude Opus at an open source codebase” and find holes.
Also: 7 AI coding techniques I use to ship real, reliable products – fast
Cal also quoted Huzaifa Ahmad, CEO of Hex Security, “Open-source applications are 5-10× easier to exploit than closed-source ones. The result, where Cal sits, is a fundamental shift in the software economy. Companies with open code will be forced to risk customer data or close public access to their code.”
“We are committed to protecting sensitive data,” Pumfleet said. “We want to be a scheduling company, not a cybersecurity company.” He added, “Cal.com handles sensitive booking data for our users. We won’t risk that for our love of open source.”
Cal.diy release
While its commercial program is no longer open source, Cal has released Cal.diy. This is a fully open-source version of its platform for hobbyists. The open project will enable experimentation outside the closed application that handles high-stakes data.
Pumfleet concluded, “This decision is entirely around the vulnerability that open source introduces. We still firmly love open source, and if the situation were to change, we’d open source again. It’s just that right now, we can’t risk the customer data.”
Also: I built two apps with just my voice and a mouse – are IDEs already obsolete?
AI is indeed proving to be a mixed blessing for open-source projects and programmers. Will other smaller companies that do not have the resources to patch a flood of AI hacks follow in Cal’s footsteps? Stay tuned. It is not only open-source coding that is being radically changed by AI, but also the open-source business models.
