Cal.com Closes Source Code Amid AI Security Concerns

Cal.com has decided to transition its core codebase away from open source due to the growing threat of AI-driven vulnerability discovery. According to CEO Bailey Pumfleet, AI has made it nearly costless to scan and exploit code, turning transparency into exposure. At Strix, we understand their concerns, as our own open-source AI security agents process billions of LLM tokens daily to identify software vulnerabilities. We've collaborated with Cal.com to responsibly disclose vulnerabilities, and we respect their commitment to user safety. However, we disagree with their decision to close their source code.

Closing source code does not deter AI hackers, as modern AI tools like Strix excel at black-box and grey-box testing, which do not require access to the codebase. These tools can dynamically interact with live systems to uncover vulnerabilities, making the attack surface visible even without source code access. Relying on security through obscurity is ineffective against automated AI agents that tirelessly probe for flaws.

Instead of retreating from open source, the solution lies in integrating AI defenders into the development process. Automated security testing should be a continuous part of the CI/CD pipeline, allowing AI agents to validate code and infrastructure changes in real-time. This approach leverages AI's capabilities to match the pace of software development and counteract AI-driven attacks.

Despite the shift away from open source, we at Strix maintain our commitment to transparency. We believe that open-source tools are crucial for securing the next generation of software, providing developers with the means to protect their systems against AI hackers. By empowering developers with autonomous security agents, we can create a stronger defense against evolving threats.