Mid-April 2026 — A seismic shift rocks the open-source world. Bailey Pumfleet, CEO of Cal.com, announces the transition of his scheduling software from an AGPL license to a proprietary one. The reason? AI models like Claude Opus (Anthropic) can now scan public codebases and uncover vulnerabilities in mere hours. This decision reignites a critical question: Is the rise of offensive AI spelling the end of transparency—the very foundation of open source?
A Historic Turning Point: Is Open Source at Risk?
Since its launch in 2022, Cal.com has embodied the open-source ethos: accessible, community-driven, and secured by collective scrutiny. Yet, faced with AI’s ability to analyze, exploit, and weaponize code at unprecedented speed, Pumfleet chose to lock down the source. A radical move, justified by a stark analogy:
“Open-source code is like handing out the blueprint to a bank vault. Except now, there are a hundred times more hackers studying the blueprint.”
His co-founder, Peer Richelsen, doubles down: the traditional balance of open source—relying on human expertise to find and fix bugs—has been shattered. AI models like Claude Mythos Preview (Anthropic) have already exposed 27-year-old flaws in OpenBSD and 16-year-old bugs in FFmpeg, slipping past automated tests that ran millions of iterations.
The Security Paradox: Transparency vs. Obscurity
Cal.com isn’t alone. Others may follow, driven by fear of heightened cyber exposure. But this logic is challenged by cybersecurity veterans like David Lindner (Contrast Security), who cuts to the chase:
“We’ve always found vulnerabilities. We discover them every day. The real bottleneck isn’t detection—it’s patching.”
A sobering statistic backs this up: Over 99% of the flaws identified by Mythos remain unpatched, per Anthropic’s own report. Closing the code doesn’t eliminate vulnerabilities—it just hides them from view.
The Counterargument: Open Source as a Shield, Not a Target
Jim Zemlin, CEO of the Linux Foundation, advocates for a different path: adaptation, not retreat. His reasoning:
- Open-source software underpins modern infrastructure.
- Keeping it open enables continuous public audits, historically its strongest defense.
- Equipping open-source maintainers with the same AI tools as attackers would allow proactive patching before exploits occur.
This aligns with Project Glasswing, a $100 million consortium (backed by Microsoft, Google, Amazon, and the Linux Foundation) aimed at securing open source. Their mantra: AI should be a defensive force, not just an offensive one.
Security Through Obscurity: A False Promise?
Cal.com’s stance hinges on an old belief: “If the code is hidden, it’s safer.” Yet, cybersecurity history proves security through obscurity is a fallacy. Experts argue:
- Reverse engineering and behavioral analysis bypass obscurity.
- Closed code denies users transparency about its true security.
- Modern AI can detect vulnerabilities even in compiled binaries by analyzing network behavior and execution patterns.
Closing the code doesn’t erase flaws—it just makes them harder to see.
Toward a New Balance?
The debate is far from settled. Two visions clash:
- The Retreat: Closing code as a defensive reaction to offensive AI.
- The Reinforcement: Leveraging AI to automate both detection and patching in open source.
One thing is certain: AI has changed the game. It can be the ultimate weapon for attackers and the essential tool for defenders. The open-source community faces a choice:
- Retreat and risk losing its core identity.
- Adapt and turn AI into an ally for stronger security.
Which side are you on? The conversation is just beginning.
