Security software is a bit different than other types of software. You've got to expect an "insecure until shown secure" attitude; it's the same attitude that drives our confidence in cryptographic primitives. If it's new, we don't immediately implement it for precisely that reason -- regardless of whether or not it looks good. I'm sad to hear that, as I thought I provided useful information from experience. But, to give the benefit of the doubt that it was overlooked, I'll mention my concerns again. First, you mention that you use hash functions during the creation of the "vault." If I have this correct, a hash value that's stored with the vault is verified whenever the vault is accessed, in order to detect any changes to the vault? If so, that'll work against passive scenarios, like accidental corruption, but it's useless against an active adversary, who can simply manipulate the vault and replace the hash with a new hash that corresponds to the tainted vault. That's because hash functions are unkeyed. What you need is a keyed MAC, where you can use a block cipher with CMAC, or a hash function with HMAC, for instance. But maybe it doesn't work this way, so I'm open to be educated on how it does. Regardless, you're not going to preserve integrity against an active adversary unless you use a MAC. Second, you use Blowfish. It's 64-bit block size could be a problem, if you encrypt more than 2^32 blocks under a single key. To translate this into terms that would affect your software, plaintext information would start to leak if your vault is larger than 32GB. Maybe you limit the size of vaults such that this would be a non-problem, but even if you do, I see no reason, cryptographically, to use Blowfish, where the AES is just fine. The tricky part about security software is that you can't run beta tests for security problems, and it seems a bit premature to publish your software, let alone charge for it, when it's incredibly new, designed by those whose cryptographic prowess is unknown, and comes without any analysis that we know of. Couple that with the potential issues I mentioned above, where I may not have any protection against active adversaries and my plaintext may start to leak if I use Blowfish on a vault beyond 32GB in size, and I'm left uneasy. My criticism is certainly given with the intent of protecting your reputation, because if history has shown us anything, it's that those who jump the gun with security, and are caught, are left with a reputation that's next to irreparable. Sure, security is a bit of a crapshoot at times, and some insecurities are taken as a matter of course, but silly ones, like not properly preserving integrity and letting plaintext information leak, are usually not forgiven. Simply going back to publishing it for free isn't good enough right now; it shouldn't be published at all. Doing so puts your reputation, and others' data, on the line. What I'm not saying is, "Throw in the towel." What I am saying is, "Slow down."