Cal.com blames AI-powered vulnerability hunting for its move from open source to locked-down code — and tosses a crippled ‘community’ edition to keep its cred.
Drat! Something else I’ve been meaning to try has been taken off my list.
The calendar app — some call it a scheduling app — Cal.com announced on Tuesday that after five years it’s dropping open source licensing and going forward will be locked-down proprietary.
I know what you’re thinking — that here we have another company bemoaning that open source doesn’t work very well as a business model (how could it, it was never intended to be a business model, but that’s fodder for another article), and that everybody has been “stealing” the freely available code instead of ponying up for enterprise support.
Refreshingly, that’s not the case, but that doesn’t make it feel any better. In fact, when I have time to think about it, it’s probably going to make it feel much worse. Scratch that… it already feels worse.
“Open source is dead,” Cal.com co-founder and CEO Bailey Pumfleet posted on LinkedIn on Wednesday, a day after he announced that the company is going proprietary. “That’s not a statement we ever thought we’d make.”
The reason is AI, and the reason is security. Specifically, it’s that AI is very good at looking at source and discovering serious vulnerabilities that human eyes maybe haven’t spotted after years of looking. It’s also good at quickly coming up with ways to quickly exploit a vulnerability once it finds one. Because of this, the folks at Cal.com say they want to lock up their source code and keep it where no one can see it — which probably won’t work as well as they think it will, but more on that in a moment.
“Being open source is increasingly like giving attackers the blueprints to the vault,” Pumfleet said in the post published Tuesday under his byline. “When the structure is fully visible, it becomes much easier to identify weaknesses and exploit them.
“In recent months, we’ve seen a wave of AI security startups productizing this capability,” he added. “Each platform surfaces different vulnerabilities, making it difficult to establish a single, reliable source of truth for what is actually secure.”
It’s ‘For the Customers’
Usually when a company drops open source, it tries to pretend it’s still open by releasing under a fauxpen “source available” license that still lets you look at the source code, but doesn’t allow you to distribute or fork it. In other words: it protects its investment and enforces ownership of the code.
That’s not quite the case here, partly because the whole purpose is to hide the code where AI can’t find it. Also, as Pumfleet tells it, they’re not protecting themselves so much as they’re protecting their customers.
“This uncertainty forced us to make a choice: remain open source and accept increasing risk to customer data, or move to closed source to reduce that risk,” he said. “It’s not a perfect solution, but we have to do everything we can to protect our users.”
I hate to be the one to break it to him, but what he’s doing has a name — “security through obscurity” — and its one that didn’t work well back in the old days, and it’s definitely not going to work in the age of AI.
About three weeks ago, we published an article on FOSS Force by Gregory Kurtzer, founder and CEO of CIQ, the company behind Rocky Linux. In it, he describes feeding some binary code from 1986 to AI, which analysed it and quickly found a security hole:
“This was 6502 machine language from the Apple IIe, published as raw hex in print, with no source code. He fed it to a frontier AI model, which reconstructed the program logic with labels, comments, and explanations. It identified the programmer’s intent behind code written four decades ago, all from the binary. Then, it ran a security audit and caught a subtle bug where a routine failed to check a carry flag after a line search.”
In other words, Pumfleet’s game plan might have worked OK a year ago, but likely not now. Even if it does work now, its days are numbered.
Cal.com’s ‘Open’ Version
Although Cal.com is now released under a EULA that doesn’t even pretend to look like open source (there’s no fauxpen aspect trying to fool anyone), it is making the gesture of throwing out a hush puppy by releasing an open source alternative that looks a whole lot like crippleware.
“We still care deeply about open source,” Pumfleet said. “That’s why we are releasing a version of our codebase to the community under the MIT license as Cal.diy. While our production codebase has significantly diverged, including major rewrites of core systems like authentication and data handling, we want to ensure there is still a truly open version available for developers, hobbyists, and anyone who wants to explore and experiment.”
I’ll dare to damn that open source release with faint praise without even trying it on for size.
Christine Hall has been a journalist since 1971. In 2001, she began writing a weekly consumer computer column and started covering Linux and FOSS in 2002 after making the switch to GNU/Linux. Follow her on Twitter: @BrideOfLinux
Be First to Comment