Cal.com is going closed source

Original Article ↗ Hacker News Discussion ↗

Motivation for Going Closed Source

  • Many commenters see the “security because of AI” rationale as a pretext for a business move (protecting revenue, preventing clones, VC pressure) rather than a genuine security pivot.
  • Others accept that AI-assisted vulnerability discovery and noise (low-quality reports, LLM-found “vulns”) increase the burden on maintainers, especially for commercial open-core products.

Security Through Obscurity Debate

  • Large portion of the thread argues that closing the source is “security by obscurity,” historically considered weak: vulnerabilities still exist and can be found via binaries, traffic analysis, or black-box testing.
  • Counterpoint: even if not sufficient alone, obscurity can be one layer in “defense in depth” and can raise attacker cost (more tokens, more effort, less direct access to code).
  • Skeptics say the move signals “we don’t trust our own security,” which may undermine user confidence more than open code does.

LLMs, Vulnerabilities, and Economics

  • One camp: if LLMs are great at finding bugs, vendors should run them themselves pre-release; open source benefits most because multiple parties can “share the auditing budget.”
  • Opposing view: defense is asymmetric; defenders must find all bugs, attackers only one. Continuous LLM scanning on every change and dependency update can be expensive.
  • Some see cybersecurity becoming “proof-of-work”: you must spend more tokens hardening than attackers spend attacking.
  • Others highlight that attackers and defenders have access to the same tools, so relative advantage may not change much.

Impact on Open Source and Users

  • Several users state they chose Cal.com specifically because it was open source / self-hostable and plan to migrate away now.
  • Some note that the previous open version has been relicensed as a separate MIT-licensed project, but worry it could be neutered over time.
  • Broader sentiment: AI is accelerating a trend where VC-backed “open source” is used mainly as a growth and branding tactic, then revoked once traction is achieved.
  • Others point to alternative open scheduling tools (e.g., Thunderbird Appointment) and personal projects, and predict more such replacements.