On that note, you may be interested in the three new security issues in Bitwarden I reported today. (I’m the person who reported this security issue with the KDF (assigned CVE-2019-19766) almost a year ago, which has not been fixed during that time and apparently still nobody at Bitwarden is working on fixing it.)
Details at: Three Major Bitwarden Security Issues
One of them allows anyone who can breach the Bitwarden infrastructure or release tooling/users the ability to steal every password of every desktop application user, via the no-user-intervention autoupdate mechanism. The web app at vault.bitwarden.com
of course already permits such an attack because it’s impossible to protect a webapp’s cryptography code from a server breach (because the code comes from the server itself on each pageload).