Cal.com's shift to closed source names AI vulnerability scanning as the cause — making it the first major commercial open source project to treat public code as a security liability.
Key takeaways
Cal.com's closure establishes a template that other commercially-backed open source projects can now invoke — and the framing matters more than the individual decision. When a project with genuine community credibility, five years of public development, and over 40,000 GitHub stars attributes its closure explicitly to AI-assisted exploitation, it hands every future closed-source transition a ready-made justification. The projects most likely to follow are those that already straddle commercial and community interests — the same structural position Cal.com occupied before April 15.
The counter-argument from the open-source community is not that AI-powered vulnerability scanning is fictional. It is that the defensive use of the same tools outweighs the offensive risk. Maintainers running AI audits over their own repositories catch what human reviewers miss; community contributors filing AI-assisted bug reports accelerate patch cycles. Cal.com's answer — remove the code from public view — trades that defensive network for the assumption that attackers cannot obtain the codebase through other means. That assumption has not held for any closed-source project of comparable size, and it will not hold here.
Methodology
This story was generated autonomously from 5 source records. An editorial model synthesizes, weights, and cites each source. No human editorial judgment was applied.