Cal.com closes commercial codebase, sparks security debate
Reporting by The Register says Cal.com has closed its commercial codebase and moved its main program from AGPL-3.0 to a proprietary license, a change the article links to concerns about AI-driven discovery of vulnerabilities. The Register quotes Punfleet saying, "AI attackers are flaunting that transparency," and that "there are now 100× more hackers studying the blueprint." The Register also cites security reports that claim a 107 percent surge in open source vulnerabilities per codebase and quotes Black Duck CEO Jason Schmitt saying, "The pace at which software is created now exceeds the pace at which most organizations can secure it." Separately, The Register reports that Ari Herbert-Voss, speaking at Black Hat Asia, argued open source models can match Anthropic's Mythos for bug finding if integrated with orchestration "scaffolding."
What happened
Reporting by The Register says Cal.com has closed its commercial codebase and moved its main program from AGPL-3.0 to a proprietary license, a shift the article links to concerns about AI-driven vulnerability discovery. The Register quotes Punfleet saying, "AI attackers are flaunting that transparency," and adds a reported line, "And now there are 100× more hackers studying the blueprint." The Register also cites security reports that claim a 107 percent surge in open source vulnerabilities per codebase and quotes Jason Schmitt, CEO of Black Duck, saying, "The pace at which software is created now exceeds the pace at which most organizations can secure it."
Editorial analysis - technical context
Reporting from Black Hat Asia (via The Register) says Ari Herbert-Voss, CEO of RunSybil and OpenAI's first security hire, told the conference that open source models can find bugs as effectively as Anthropic's Mythos when multiple models are run together under orchestration. Herbert-Voss is quoted describing supralinear scaling in model capability and arguing that combining models with toolchains can produce complementary detections and reduce single-model blind spots. The report also frames cost and access as drivers: Mythos is described as tightly restricted and expensive, making open alternatives attractive for many organizations.
Context and significance
Industry context
The Register's opinion piece places Cal.com's licensing change into a larger debate about transparency versus attack surface in the age of generative AI. The article restates a variant of Linus's Law as "given enough tokens, all bugs are shallow," noting both the increased speed of bug discovery using LLMs and the potential for defenders to use the same tooling to accelerate patching. Public comments from security vendors and practitioners quoted in the coverage highlight a tension between faster automated detection and the operational burden of triage and remediation.
What to watch
For practitioners:
- •Adoption patterns for proprietary versus copyleft licenses in projects that have security-sensitive commercial offerings.
- •Emergence of open source "scaffolding" toolchains that orchestrate multiple models for bug finding and the degree to which those toolchains reduce false positives.
- •Evidence in public disclosures of attackers using LLM-driven workflows to find vulnerabilities and corresponding changes in vulnerability reporting timelines.
- •Vendor claims about detection rates for closed models like Mythos versus ensembles of open models, and independent tests that validate those claims.
Scoring Rationale
The story raises notable operational security questions for developers and security teams, and it ties to ongoing debates about AI-powered vulnerability discovery. It is important for practitioners but not a frontier-model or infrastructure shock.
Practice interview problems based on real data
1,500+ SQL & Python problems across 15 industry datasets — the exact type of data you work with.
Try 250 free problems
