Cal.com moves its core codebase to a closed repository, citing AI security risks. Discover how the startup balances open source roots with vulnerability concerns.

The New Stack is a publication covering trends and technologies in cloud-native development, DevOps, and software delivery. Developers can learn about containerization, Kubernetes, and cloud computing, as well as explore topics such as microservices architecture, serverless computing, and continuous integration/continuous delivery (CI/CD) pipelines.

The New Stack

Cal.com, the open-source Calendly alternative, is moving its core production codebase to a closed repository, citing AI-driven security risks. The company argues that AI systems capable of systematically finding vulnerabilities make open code materially more dangerous to maintain publicly. As a compromise, Cal.com has released Cal.diy — a stripped-down, MIT-licensed, self-hostable version of its scheduling platform — while enterprise features and critical security components like authentication and data-handling now live in a private repo. The founders suggest other commercial open-source companies are already reassessing similar decisions, framing this as a broader industry inflection point rather than a one-off business move.

Open source faces a security reckoning as Cal.com closes its codebase