Why not simply open-source (under a suitably restrictive license regarding commercial reuse) the actual cryptography algorithms, libraries and related code used in the application? That allows competent people to review the cryptography and subject it to whatever testing is necessary, while preserving the intellectual and commercial property inherent in a for-profit company. Granted security issues could well be elsewhere in the application code, but I think it's going a bit far to think that just open-sourcing the whole application is going to attract the kind of thorough external audit that actually needs to be done at regular intervals. In fact, regular external audits of the whole application really *are* necessary, in addition to disclosures about the cryptography used. It would be great if Enpass is willing to invest that kind of money and publish the results! UPDATE: I overlooked the other thread in this forum section about planned external security audits. Let's hope Enpass makes those a regular milepost in their plans!