Like handing out the blueprint to a bank vault' Why AI led one company to abandon open source
Why AI Led One Company to Abandon Open Source
Cal is reluctantly moving away from open source for security, a decision driven by risks from modern AI tools. Bailey Pumfleet, the CEO and co-founder of Cal, previously stated, “Cal.com would be an open-source project because limitations of existing scheduling products could only be solved by open source.” Today, however, Pumfleet tells me that AI programs such as Claude Opus can scour the code to find vulnerabilities, so the company is moving the project from the GNU Affero General Public License (AGPL) to a proprietary license to defend the program’s security.
Overwhelmed by the threat of AI hackers, Cal is completely shutting down its commercial open-source program. Peer Richelsen, co-founder of Cal, said, “Open source security always relied on people to find and fix any problems. Now AI attackers are flaunting that transparency.” Pumfleet added, “Open-source code is basically like handing out the blueprint to a bank vault. And now there are 100× more hackers studying the blueprint.”
The blueprint exists, as Anthropic’s Mythos model proved in early April that it could break into some of the world’s safest software systems. The prime example of that is Mythos finding a serious security hole in OpenBSD, which places a strong emphasis on security. However, it wasn’t Mythos that caused Cal to make its radical change. Pumfleet explained, “We saw this coming anyway. Even without Mythos, it’s incredibly easy to point previous generation models like Claude Opus at an open source codebase and find holes.” Cal also quoted Huzaifa Ahmad, CEO of Hex Security, “Open-source applications are 5-10× easier to exploit than closed-source ones. The result, where Cal sits, is a fundamental shift in the software economy. Companies with open code will be forced to risk customer data or close public access to their code.”
Pumfleet emphasized their commitment to data protection, stating, “We are committed to protecting sensitive data.” He added, “Cal.com handles sensitive booking data for our users. We won’t risk that for our love of open source.” While its commercial program is no longer open source, Cal has released Cal.diy, a fully open-source version of its platform for hobbyists. Pumfleet concluded, “This decision is entirely around the vulnerability that open source introduces. It’s just that right now, we can’t risk the customer data.”