This is a feature request related to governance and policy of security practices which has a direct impact on engineering and codebase.
Request: Increase Third Party Audits and Penetration Testing + Routinely Vary the Auditors
Issue: The size of the user base for Bitwarden warrants a proportional increase in published, third party security audits of the codebase, including penetration testing. To be clear, Bitwarden does do third party audits and it does publish them. The audits appear sound and are conducted by well-known and reputable auditors with expertise in IT security. However, audits appear to be less frequent than some key competitors.
1Password: Security audits of 1Password. (6 published audits in 2022 alone)
LastPass: Can’t find a source of consolidated, published audits.
You can see from the very small above sample where Bitwarden sits. This is not a criticism. An audit schedule is going to need to be annually budgeted for and will increase as your dominance increases in the marketplace, as this exposes you to greater attention from bad actors.
It may be argued that the open source nature of Bitwarden compared to its competitors acts as an ongoing crowd sourced auditor. This is a reasonable argument. However, bug reporting by the community and bug bounty programs are an additional security benefit, they are not something which should replace or limit the frequency of routine third party audits.
Additional published, third party security audits increase consumer confidence by affirming the already secure codebase of Bitwarden by subjecting it to routine, frequent audits by varied auditors who have dedicated expertise in security.
If you support this change, please vote.