Cal.com's shift from AGPL to proprietary licensing citing AI security concerns has sparked debate, but experts argue open source remains more secure than proprietary alternatives.
AI's Not Going to Kill Open Source Code Security
The recent decision by Cal.com to abandon its AGPL-3.0 licensing in favor of a proprietary model has sent shockwaves through the open source community. The company's co-founder and CEO, Bailey Pumfleet, declared that "open source is dead," claiming that AI attackers make transparent code too vulnerable. However, security experts and open source advocates strongly disagree, arguing that this approach misunderstands both security principles and the value of open source development.
The Cal.com Decision: Security Through Obscurity
Cal.com's rationale for abandoning open source centers on the belief that AI tools make open source code fundamentally vulnerable. As Pumfleet stated, "AI attackers are flaunting that transparency," making open source "like handing out the blueprint to a bank vault" with exponentially more hackers studying it.
This represents a return to the discredited "security through obscurity" approach, which has been repeatedly proven ineffective over decades of software development. The company's decision comes amid growing concerns about AI-powered vulnerability scanning, with reports indicating a 107% surge in open source vulnerabilities per codebase according to Black Duck's 2026 Open Source Security and Risk Analysis.
Why Open Source Security Actually Benefits from Transparency
Contrary to Cal.com's position, transparency has historically made open source more secure than proprietary alternatives. Linux kernel maintainer Greg Kroah-Hartman and Django co-creator Simon Willison both argue that open source provides security advantages that proprietary code cannot match.
"Since security exploits can now be found by spending tokens, open source is MORE valuable because open source libraries can share that auditing budget while closed source software has to find all the exploits themselves in private," Willison explains.
The reality is that most commercial code today relies on open source components, and the collaborative nature of open source development enables faster identification and remediation of security issues. When vulnerabilities are discovered, the entire community benefits from the patches, rather than just a single organization as with proprietary software.
AI's Dual Impact on Security
While AI does indeed make vulnerability discovery faster and more efficient, it also accelerates the remediation process. The concern about AI-powered attacks is valid, but the solution isn't to retreat from open source—it's to leverage AI for defensive purposes more effectively.
Drew Breunig, a respected tech strategist, has framed this as a "brutally simple equation: to harden a system you need to spend more tokens discovering exploits than attackers will spend exploiting them." This represents a modern interpretation of Linus's Law, suggesting that "given enough tokens, all bugs are shallow"—presuming adequate resources are available.
The Future of AI and Open Source Security
Emerging AI tools may further diminish the effectiveness of "security through obscurity." OpenAI's GPT 5.4-Cyber, for example, claims to be able to reverse engineer binaries back to source code, potentially exposing proprietary code to the same level of scrutiny as open source. As Peter Steinberger, creator of OpenClaw, noted, "If you look at GPT 5.4-Cyber and its ability for closed source reverse engineering, I have bad news for you."
This development suggests that proprietary approaches may become even less viable as AI capabilities advance, making Cal.com's decision particularly ill-timed.
Community Response and Alternatives
The developer community has largely rejected Cal.com's reasoning. On Reddit, users questioned the company's seriousness about security, pointing to recent patches for fundamental authentication and access control issues that weren't the result of sophisticated hacking.
Mozilla Thunderbird's Ryan Sipes offered a direct alternative: "Our scheduling tool, Thunderbird Appointment, will always be open source. Come talk to us and build with us. We'll help you replace Cal.com." This represents a commitment to open source principles even in the face of emerging AI threats.
Practical Recommendations for Organizations
Rather than abandoning open source, organizations should develop strategies that leverage both open source and AI for enhanced security:
- Invest in automated security scanning for your open source dependencies
- Contribute to open source security initiatives rather than withdrawing from them
- Develop AI-powered defensive tools to complement open source development
- Establish clear vulnerability disclosure policies that work with the open source community
- Balance open source usage with appropriate security controls rather than wholesale replacement
As the AI transformation of programming continues, organizations that learn to use AI and open source together will be better positioned than those that retreat to outdated proprietary models. The future of software security lies in transparency and collaboration, not in obscurity and isolation.
Comments
Please log in or register to join the discussion