[throwaway613834]

Although you claim Wireshark, etc. can be used to verify the lack of external communication, the fact of the matter is that it only verifies you aren't sending data to third-parties all the time. It does not mean that it won't do so occasionally, or that (say, if triggered via a message in an existing platform) it won't suddenly send your credentials to someone else and then erase its tracks, or do anything more sophisticated than the naive approach you illustrated. The reality is that open-source really is necessary to prove that nothing nefarious is going on, as unfortunate as that is. I hope you can open-source it in the future so that it enjoys full adoption.

[amedvednikov]

It will be open-sourced at some point within the next 2 years without a doubt.

Like I explained in the FAQ, the plans and the potential are huge, and it would be really silly to risk it all just to become another data miner. Even if it's very sophisticated, and there's a 0.01% change it's found out, why risk everything? Besides, it's simply illegal. All the information about me and the company is public.

I wonder if you have the same concerns about other closed source software like Sublime Text.

[throwaway613834]

> I wonder if you have the same concerns about other closed source software like Sublime Text.

This was an unnecessary personal jab, but I'll respond. Sublime? I don't use it. Software that deals with my credentials just like you do? Yeah, I definitely do. That's why I don't trust closed source password managers either. Text editors? Mine are open source so the thought has never crossed my mind. Other random software like my OS or Visual Studio? Depends; e.g. Microsoft is a huge corporation that has nothing to gain and a lot to lose from keylogging my passwords, but e.g. I wouldn't trust Facebook not to record my audio or fish out my contacts behind my back. Smaller utilities? Yeah, but again, they don't have my credentials at their fingertips, or need Internet access at all for that matter (I turn off auto updates so I can just block internet access for them entirely).

All of which is to say, yeah, I'm not picking on you specifically, but this isn't about me, or about you. I'm just a messenger. Verifiability is the requirement many people have for software that manages their credentials; pinkie promised aren't enough. For some of them, you can make up for some of it by having a big enough reputation to lose, and criminal history to jeopardize in their jurisdictions. For others, you can't. In your case, you don't seem to have that going for you either.

[amedvednikov]

This was not meant to be a jab, sorry if it came out that way. English is not my native language.

I was genuinely interested, and I expected this answer. This is a very valid point of view. I hope you'll use it once it's open-sourced.