[EMIRELADERO]

I never said open source was to be the foundation. In fact, I never talked about open source at all. All I'm referring to is source availability.

As I said earlier I'm not going to complain that you won't use a free license such as MIT or AGPL or whatever else. The real issue is just the sources being publicly auditable. Are you worried about your competitors copying your non-copyrightable material? Ideas?

While there would still be an issue, I would be a bit less harsh on the policy if at least the clients were source-available. Transparency is security.

> It is hard to seriously compare the features, the security design, and the UX of Bitwarden to 1Password — it is not close.

How does Bitwarden not come close in security? All I can come up with is the secret key requirement. Is that all? If anything Bitwarden feels more secure because of its transparency. You can see the developers working live, each commit they make.

[roustem]

The client source code is the where the most of the IP is. The server code is pretty dumb on it own, all it does is the sync and permissions.

One of the issues with Bitwarden encryption is the fact that every field is encrypted separately and that could provide more info to the attacker. For example, you could tell how many URLs in a particular login or if there is note for an item and how long it is.

[EMIRELADERO]

Noted, thank you. So why not source-available? I assumed you already published the non-copyrightable ideas in your public whitepaper. Is there a concern that even if the sources are made available under a "look but don't touch" basis (essentially all rights reserved) competitors would still gain an advantage by copying the non-copyrightable stuff like processes or ideas? (that are already public through the whitepapers and could reasonably still be obtained via reverse-engineering of the client binaries)