I’m thinking about the fact that Bitwarden should be audited again in the future. The reasons I believe that are :
- future change to encryption protocols or hashing (new flaws discovered, or obsolete ones);
- error in codes in implementing new features or correcting some issues (lot of potential mistakes)
- changes in OS or browsers that are compatible wit Bitwarden
It may sound paranoiac, but, passwords managers should be be a bit more paranoiac than the vast majority of softwares, no? Maybe it could be done at a regular time or within a certain range of changes. I know that Hacker One is involved it Bitwarden, but, I fear that it’s not as serious as a full audit done by a serious security company. When I look to Hacker One activity related to Bitwarden, it seems a bit light…
I guess it needs, at least, some thinking about it.
I would hope that there’ll be regular pen testing carried out by a third party. Would be nice to get more details on this.
I was wondering too. So, I wrote to support and they give me that answer: “We have intentions of scheduling another security audit this year.” So, that’s good news! Be patient, it looks like it’s coming soon.
Thats great to hear. Vulnerabilities arent static, with new exploits come new pen tests.
I would love to donate some money for an security audit.
Please consider starting a donation portal for this!
Thank you @vachan for your reply.
I just had 2018 in mind but did not know that there was a recent audit.
Good to know.
I woud suggest trying to hire Wladimir Palant (founder of AdBlock Plus) for the next audit. He has found major security vulnerabilities in LastPass and other password managers. Here is one of his blog posts about LastPass, there are links to more in the “see also” section:
Should you be concerned about LastPass uploading your passwords to its server?
Also, would it not be right to have a remunerated bug bounty program? As Wladimir points out, he has to make a living too…
We’ll be talking a little more about our Hackerone program this morning at this event
Sadly I missed it. Is a recording available somewhere?