What Happened to Cal.com's Shift to Closed Source?
Cal.com, a prominent open-source scheduling platform, announced on April 15, 2026, its decision to move the commercial edition of its core software from an open-source model to a closed-source approach. This significant shift was primarily driven by escalating security concerns related to AI-driven attacks and automated vulnerability scanning, which the company stated made publicly available code too susceptible to exploitation. While the commercial product is now proprietary, Cal.com simultaneously launched 'Cal.diy,' a fully open-source version under the MIT License for hobbyists and self-hosting, aiming to balance security for its enterprise users with its open-source roots.
Quick Answer
On April 15, 2026, Cal.com transitioned its commercial scheduling software from an open-source to a closed-source model, citing heightened security risks from AI-driven vulnerability scanning. The company's CEO, Bailey Pumfleet, stated that AI tools make open-source code akin to 'handing out the blueprint to a bank vault' to hackers, compelling them to prioritize customer data protection over their open-source commitment. Concurrently, Cal.com released 'Cal.diy,' an MIT-licensed open-source version for community use, ensuring a continued open-source option for non-commercial applications while securing its main product.
📊Key Facts
📅Complete Timeline11 events
Cal.com (as Calendso) Founded
Cal.com was founded as Calendso, an open-source scheduling platform aimed at providing an alternative to existing proprietary tools.
Raises $7.4M Seed Round
Cal.com secured $7.4 million in seed funding from investors including OSS Capital, Joseph Jacks, and Naval Ravikant.
License Change to AGPLv3
Cal.com changed its open-source license from MIT to AGPLv3 to better protect its community and ensure longevity, aiming to prevent commercial exploitation without contribution.
Secures $25M Series A Funding
Cal.com announced a $25 million Series A funding round led by Seven Seven Six, with participation from ObviousVentures, OSS Capital, and others.
Discusses Open Source Challenges
Cal.com published a blog post discussing the pros and cons of open source, acknowledging risks like product rip-offs and competitors leveraging their code.
Community Concerns Over Self-Hosting & Licensing
Discussions on platforms like Hacker News highlighted difficulties in self-hosting Cal.com and raised questions about the true 'open source' nature of the project given its enterprise features.
AGPLv3 Misrepresentation Allegations
A GitHub discussion pointed out that Cal.com's readme might have misrepresented the AGPLv3 license, potentially steering users towards commercial licenses.
Critical Vulnerabilities Discovered by AI
Gecko Security's AI security engineer identified critical vulnerabilities in Cal.com Cloud, allowing account takeovers and sensitive data exposure, which were subsequently patched.
Updated Pricing Structure for 2026
Cal.com's 2026 pricing guide was updated, detailing various plans including free, team, organizations, and custom enterprise options.
Commercial Edition Shifts to Closed Source
Cal.com announced its decision to move the commercial version of its core scheduling software to a closed-source model, citing escalating security threats from AI-driven attacks.
Launches 'Cal.diy' Open-Source Project
Alongside its commercial shift, Cal.com launched 'Cal.diy,' a separate, fully open-source project under the MIT License for hobbyists and self-hosting, maintaining an open-source option.
🔍Deep Dive Analysis
Cal.com, initially launched as Calendso in 2021, quickly gained traction as an open-source alternative to proprietary scheduling tools. Its early commitment to open source was seen as a core differentiator, allowing extensive customization and self-hosting capabilities. In September 2021, the company updated its license from MIT to AGPLv3, a move intended to protect its community and ensure that any modifications to the code by corporations running it as a service would be contributed back to the open-source project.
However, the company's journey with open source was not without challenges. Discussions within the community in early 2023 highlighted difficulties in self-hosting and concerns that certain 'enterprise' features were not truly open, leading to some confusion regarding the AGPLv3 license's interpretation in their documentation. These early signals hinted at the complexities of maintaining a fully open-source model while building a sustainable commercial enterprise.
A pivotal turning point arrived with the rapid advancement of AI. In January 2026, a security audit by Gecko Security, utilizing an AI security engineer, uncovered critical vulnerabilities in Cal.com's cloud platform, enabling complete account takeovers and access to sensitive booking data. These issues were promptly patched, but underscored the growing threat landscape. This event, coupled with broader industry demonstrations of AI models like Anthropic's Mythos being able to quickly identify software exploits, significantly escalated Cal.com's security concerns.
On April 15, 2026, Cal.com officially announced its decision to move its commercial product to a closed-source model. CEO Bailey Pumfleet and co-founder Peer Richelsen articulated that AI-powered vulnerability scanning had fundamentally altered the security paradigm for open-source software. They likened open-source code to a 'blueprint to a bank vault' for AI attackers, making it too risky to expose sensitive customer data. The company emphasized its desire to focus on being a scheduling company, not a cybersecurity firm, and to protect the sensitive booking, meeting, and personal data handled by its platform.
As a consequence of this shift, the commercial codebase of Cal.com is no longer publicly available. To maintain a connection to its open-source roots and community, Cal.com simultaneously launched 'Cal.diy,' a separate, fully open-source project under the permissive MIT License. This version is intended for hobbyists and self-hosting, allowing continued experimentation and development without compromising the security of the main commercial product that handles high-stakes customer data. The decision has sparked debate within the open-source community, with some critics viewing it as a common pattern where companies leverage open source for growth before transitioning to proprietary models once established. Despite the controversy, Cal.com continues to offer various paid plans for teams and enterprises, with pricing ranging from $12 to $37 per seat/month, and custom enterprise solutions, as of early 2026. The company has raised a total of $32.4 million in funding, including a $7.4 million Seed round and a $25 million Series A round, and reported an estimated annual revenue of $1.1 million as of April 2026.
What If...?
Explore alternate histories. What if Cal.com's Shift to Closed Source made different choices?