April 15, 2026
AI ate the code. The comments ate Cal
Open Source Isn't Dead. Cal.com Just Learned the Wrong Lesson
Internet calls it an excuse; devs brawl over secrecy vs sunlight
TLDR: Cal.com says it’s closing its code to stop AI-driven hacks, while Strix counters that hiding won’t help and urges automated defenses. Commenters split between “it’s a cash-grab excuse,” “obscurity buys time,” and “use proven tools,” making this a flashpoint for how software stays safe in the AI era.
The moment scheduling startup Cal.com said it’s closing its core code to stop AI-powered hackers, the comments section combusted. Strix, an open-source security project that actually helped Cal.com fix bugs, argued the opposite: don’t hide—fight AI with better AI. And then the crowd took sides with popcorn in hand.
On one flank, cynics called Cal.com’s move a business pivot dressed up as safety. One commenter blasted it as “spineless,” while others joked about “putting bugs behind a paywall” and memed, “Move fast and break transparency.” Open-source maintainers chimed in with receipts: they’re drowning in AI-found bug reports—some nitpicks, some very real—but at least the issues get fixed. The mood there: hiding code kills community watchdogs, while AI attackers will keep poking the live product anyway.
But not everyone booed. A counter-crew argued secrecy still slows attackers, name-dropping Cloudflare’s closed anti-bot playbook as proof that obscurity can buy time. The pragmatists offered a third lane: stop being “clever,” use battle-tested frameworks, and automate security checks on every change.
Bottom line drama: Everyone agrees AI changed the rules. The fight is over the fix—turn off the lights or turn up the robots. The internet, as usual, chose chaos and clapbacks over consensus.
Key Points
- •Cal.com announced it is transitioning its core codebase away from open source, citing AI-enabled, near–zero-cost vulnerability discovery and exploitation.
- •Strix, an open-source AI security project, has collaborated with Cal.com on responsible disclosure and refrains from detailing unpatched issues.
- •Strix argues closing source code will not stop AI-driven attacks, as modern agents can perform effective black-/grey-box testing without repo access.
- •The article asserts that relying on security through obscurity is increasingly ineffective against automated, persistent AI adversaries.
- •Strix recommends integrating autonomous AI security testing into CI/CD for continuous, near–zero-cost validation and states it will remain open source.