Increase Third Party Audits and Penetration Testing + Routinely Vary Auditors

This is a feature request related to governance and policy of security practices which has a direct impact on engineering and codebase.

Request: Increase Third Party Audits and Penetration Testing + Routinely Vary the Auditors

Issue: The size of the user base for Bitwarden warrants a proportional increase in published, third party security audits of the codebase, including penetration testing. To be clear, Bitwarden does do third party audits and it does publish them. The audits appear sound and are conducted by well-known and reputable auditors with expertise in IT security. However, audits appear to be less frequent than some key competitors.

Example:
1Password: Security audits of 1Password. (6 published audits in 2022 alone)

Bitwarden: https://bitwarden.com/help/is-bitwarden-audited/ and https://bitwarden.com/compliance/

LastPass: Can’t find a source of consolidated, published audits.

You can see from the very small above sample where Bitwarden sits. This is not a criticism. An audit schedule is going to need to be annually budgeted for and will increase as your dominance increases in the marketplace, as this exposes you to greater attention from bad actors.

It may be argued that the open source nature of Bitwarden compared to its competitors acts as an ongoing crowd sourced auditor. This is a reasonable argument. However, bug reporting by the community and bug bounty programs are an additional security benefit, they are not something which should replace or limit the frequency of routine third party audits.

Additional published, third party security audits increase consumer confidence by affirming the already secure codebase of Bitwarden by subjecting it to routine, frequent audits by varied auditors who have dedicated expertise in security.

If you support this change, please vote.

Thank you.

3 Likes

Thanks for the feature suggestion! For forum reader reference, the full Bitwarden compliance page is located at https://bitwarden.com/compliance/. Rest assured your feedback has been passed along to the team :+1:

1 Like

Thanks. I have edited my original post to include the Bitwarden compliance page and also left the original Bitwarden Audit page.

I also notice that last year’s pen-testing’s (by Cure53) result wasn’t announced specifically (although included in the compliance page), while the previous years’ were. I think it is a good idea to definitely announce it in the blog, and announce it in communities routinely but as widely as possible. It’s good for the users to hear that BW is serious in maintaining the audit schedule and making these as transparent as possible.

This would be a contrast to LP’s claim of being audited but can’t be checked anywhere (on the company’s blog, in the media, etc.)

1 Like

Thanks for the feedback, I believe these are usually communicated out, but I’ll share feedback with the team :+1:

Oh, the Cure53 report completely slipped by - and I have a RSS feed set up for the blog so I‘d have seen it.

On that note, did you deny Cure53 the right to publish the full report themselves?
(Usually they add the reports on their website under „publications“.)