"Open source is dead," says Cal.com co-founder and CEO Bailey Pumfleet.
Cal.com's relicensing: AGPL-3.0 to proprietary
Cal.com has announced a move that has rattled the developer community: the company is moving its main program from the GNU Affero General Public License (AGPL) — specifically AGPL-3.0 licensing the project had used for years — to a proprietary license. The change, according to Cal.com's leadership, is driven by worries that AI tools make published source code easier for attackers to exploit. As Pumfleet put it, "AI attackers are flaunting that transparency," and "Open source code is basically like handing out the blueprint to a bank vault. And now there are 100× more hackers studying the blueprint."
Black Duck 2026 OSSRA and the "107 percent surge"
The move arrives against a backdrop of industry measurements about changing vulnerability dynamics. Black Duck's 2026 Open Source Security and Risk Analysis (OSSRA) paper, cited in coverage of the debate, reports a "107 percent surge in open source vulnerabilities per codebase." Black Duck CEO Jason Schmitt is quoted saying, "The pace at which software is created now exceeds the pace at which most organizations can secure it." That framing supports Cal.com's central concern: that AI accelerates discovery of flaws faster than some groups can remediate them.
Voices inside the open-source world: Kroah-Hartman, Willison, Sipes
Not everyone accepts Cal.com's reasoning. The author reports conversations with "top open source developers such as Linux kernel maintainer Greg Kroah-Hartman" that suggest open source is not dead. Django co-creator Simon Willison argued a counterintuitive point: "Since security exploits can now be found by spending tokens, open source is MORE valuable because open source libraries can share that auditing budget while closed source software has to find all the exploits themselves in private." On the competitive front, Ryan Sipes, Mozilla Thunderbird Product & Business Development Manager, took Cal.com's policy shift as an opening: "Our scheduling tool, Thunderbird Appointment, will always be open source. Come talk to us and build with us. We'll help you replace Cal.com."
Community reactions and critique of "security by obscurity"
Developer forums and comment threads have been skeptical of Cal.com's stated motive. One Reddit commentator cited "several recent patches for security holes" and wrote, "These problems were not the result of sophisticated hacking; they stemmed from fundamental oversights in authentication and access control." A Slashdot commenter framed the move as defensive: "If the tools are so good that you are afraid they will be used to expose your security flaws... maybe you should use the tools to find the security flaws yourself, and then fix them rather than declaring security through obscurity. This is a fig leaf over the desire to back out of the open-source community now that the product has reached profitability."
GPT 5.4-Cyber, OpenAI, and the threat to obscurity
Technical claims about AI's capabilities are central to the debate. Peter Steinberger, creator of OpenClaw, tweeted, "If you look at GPT 5.4-Cyber and its ability for closed source reverse engineering, I have bad news for you." The coverage notes that OpenAI's answer for Mythos — referenced as "Mythos Preview" earlier in the piece — is claimed by OpenAI to be able to reverse engineer binaries to source code. Taken together, those statements feed the argument that "security by obscurity" cannot be relied upon if models can reconstruct internals from compiled artifacts.
What this means for open-source maintainers, enterprises, and vendors
- Open-source maintainers: The story flags an influx of AI-generated bug reports that could swamp smaller projects — the piece warns "maintainers of smaller open-source projects" may be overwhelmed by new reports, even as others argue shared auditing across libraries makes open source more cost-effective.
- Enterprises and security teams: Black Duck's finding and Jason Schmitt's warning imply that organizations will confront a faster discovery rate of vulnerabilities than they can currently remediate — a hard resource-planning problem summarized by Drew Breunig as a "brutally simple equation: to harden a system you need to spend more tokens discovering exploits than attackers will spend exploiting them."
- Vendors and competitors: Some vendors see opportunity. Ryan Sipes positioned Thunderbird Appointment as a direct alternative and invited users to "build with us," reflecting how commercial actors may exploit licensing shifts in product-market competition.
To date, the piece notes, "no other companies or projects have followed Cal's relicensing footsteps." The author offers a clear editorial stance on course: while AI changes the dynamics of vulnerability discovery and remediation, the writer contends it is preferable to "learn how to use AI and open source together rather than retreating into old, discredited proprietary licensing models."
Cal.com's decision crystallizes a debate that runs to economics as much as technology: can teams afford the tokens and engineering hours to stay ahead, or will some firms choose closure as a defensive posture? The record at this moment is concrete — a high-profile relicensing, data points about accelerating vulnerabilities, public pushback from established figures and communities — and unresolved: whether others will follow Cal.com, and whether the auditing benefits of open source will scale to meet the "107 percent surge" Black Duck reports. For now, the industry will be watching whether budgeting for token-driven audits and coordinated open-source responses proves the more sustainable path than reverting to proprietary secrecy.
