Cal.com has transitioned its main program from the GNU Afferm General Public License (AGPL) to a proprietary license, according to a report by theregister.com.
Co-founder and CEO Bailey Pumfleet announced the move, claiming that the rise of artificial intelligence poses a direct threat to the security of open-source code. He described open-source code as being "basically like handing out the blueprint to a bank vault" and noted that "AI attackers are flaunting that transparency."
Pumfleet suggested that the increasing accessibility of code through AI means there are now "100× more hackers studying the blueprint." This shift has caused significant friction within the developer community, with some critics accusing the company of reverting to "security through obscurity."
The battle over tokens and transparency
Industry experts are divided on whether AI truly renders open-source security obsolete. Jason Schmitt, CEO of Black Duck, noted that the pace of software creation is currently outstripping the ability of most organizations to secure it. Black Duck's 2026 Open Source Security and Risk Analysis paper reported a 107 percent surge in open-source vulnerabilities per codebase.
However, Simon Willison, co-creator of Django, argues that open source is actually more valuable in the AI era. He stated that since security exploits can now be found by spending tokens, open-source libraries allow developers to share the auditing budget, whereas closed-source software must fund all exploit discovery privately.
Tech strategist Drew Breunig recently described the new reality of code security as a "brutally simple equation: to harden a system you need to spend more tokens discovering exploits than attackers will spend exploiting them."
Competitors are already attempting to capitalize on Cal.com's decision. Ryan Sipes, a Product and Business Development Manager at Mozilla Thunderbird, told YCombinator that Thunderbird Appointment will remain open source and encouraged users to switch to their scheduling tool.
Critics on platforms like Reddit and Slashdot have been more blunt, suggesting the licensing change is a move to protect profits rather than a genuine security necessity. One Slashdot commenter suggested the move is "a fig leaf over the desire to back out of the open-source community now that the product has reached profitability."
Newer AI developments may further undermine the argument for closed code. Peter Steinberger, creator of OpenClaw, noted that OpenAI’s GPT 5.4-Cyber claims the ability to reverse-engineer binaries back into source code, potentially making proprietary protections ineffective.
