This is not an official statement of Bitwarden. I am speaking only for myself.
I appreciate your concern and effort in keeping me honest. I’ll let a community manager speak to Bitwarden’s perspective. In the mean time, I’ll offer mine.
As an engineer, I try to deal with facts. So, let’s talk about how security engineering works at a high level, independently of Bitwarden’s processes.
Quite a bit of security engineering is performed by whitehats reporting security issues in return for bounties. There’s a period of time between when an issue is reported and when someone solves it where the reported information is embargoed. Essentially, the researcher is required to refrain from publishing information until the issue is resolved or a fixed period of time has elapsed. After that, they can disclose the vulnerability.
Concurrently with that, the organization responsible for the software has development ongoing for many objectives. It needs to choose which reports it responds to, when to respond, and balance the effort of a “perfect” solution with the ongoing needs of both the business and its customers.
There’s a careful balance to strike across urgency, available resources, priority of competing work, contractual obligations, overhead, technical debt, and so forth. What you’re observing is not a lack of rationality, but the result of needing to balance all of these concerns while continuing to enhance the product.
Neither you nor I have a complete picture of that. I’ve been head-down trying to build an extensible credential generator toolkit that we can evolve to meet the growing needs of our users. It includes features I’m excited to expand, and we’re just now closing in on recognizing the “MVP” of that vision.
I think it’s a great thing that you, and others, are speaking up. I’ve been working on the generator for about a year now, and I want to make it the best that it can be. Feedback is the best way I know to get there, and I truly appreciate everyone who dedicates their time to exploring what’s possible. I can’t promise I’ll implement any specific idea, but I can say that we have the flexibility and know-how to move forward with confidence.