Cal.com announced they're going closed source. The stated reason: AI has made it too easy for attackers to find bugs in public code.
I've been thinking about this for a bit. It's security-through-obscurity with a 2026 paint job, and I don't buy it.
Kerckhoffs's principle is over a century old: a system should remain secure even when everything about it except the key is public.
LLMs don't change the direction, only the speed. AI scans closed code just fine (fuzzing, binaries, APIs). Hiding the source doesn't remove bugs. It just means whoever finds them has no obligation to tell you first.
From Vikunja's own release notes: CVE-2026-28268, fixed in 2.1.0. Password reset tokens weren't being invalidated after use. The bug had been sitting in the codebase since v0.18.0 in September 2021.
A researcher found it (probably with the help of AI), reported it responsibly, and it got fixed. If the source had been closed, nobody external would have been in a position to catch it.
Every founder who eventually closed their source once said "I promise we won't." I believe they meant it at the time. Circumstances change.
So the better question is: what would have to happen for Vikunja to close? Four structural facts: AGPL-3 license, no CLA, no investors, and anyone can fork today's code.
Transparency trades "bugs found later by the wrong people" for "bugs found earlier by the right ones."
That's the actual tradeoff. Closing the source flips the sign on every term.
