I’m thinking about the fact that Bitwarden should be audited again in the future. The reasons I believe that are :
future change to encryption protocols or hashing (new flaws discovered, or obsolete ones);
error in codes in implementing new features or correcting some issues (lot of potential mistakes)
changes in OS or browsers that are compatible wit Bitwarden
etc.
It may sound paranoiac, but, passwords managers should be be a bit more paranoiac than the vast majority of softwares, no? Maybe it could be done at a regular time or within a certain range of changes. I know that Hacker One is involved it Bitwarden, but, I fear that it’s not as serious as a full audit done by a serious security company. When I look to Hacker One activity related to Bitwarden, it seems a bit light…
I guess it needs, at least, some thinking about it.
I was wondering too. So, I wrote to support and they give me that answer: “We have intentions of scheduling another security audit this year.” So, that’s good news! Be patient, it looks like it’s coming soon.
In July 2020, Bitarden successfully completed a thorough security assessment and penetration test by auditing firm Insight Risk Consulting. You can read more about this security audit here.
I woud suggest trying to hire Wladimir Palant (founder of AdBlock Plus) for the next audit. He has found major security vulnerabilities in LastPass and other password managers. Here is one of his blog posts about LastPass, there are links to more in the “see also” section:
This is a feature request related to governance and policy of security practices which has a direct impact on engineering and codebase.
Request: Increase Third Party Audits and Penetration Testing + Routinely Vary the Auditors
Issue: The size of the user base for Bitwarden warrants a proportional increase in published, third party security audits of the codebase, including penetration testing. To be clear, Bitwarden does do third party audits and it does publish them. The audits appear sound and are conducted by well-known and reputable auditors with expertise in IT security. However, audits appear to be less frequent than some key competitors.
LastPass: Can’t find a source of consolidated, published audits.
You can see from the very small above sample where Bitwarden sits. This is not a criticism. An audit schedule is going to need to be annually budgeted for and will increase as your dominance increases in the marketplace, as this exposes you to greater attention from bad actors.
It may be argued that the open source nature of Bitwarden compared to its competitors acts as an ongoing crowd sourced auditor. This is a reasonable argument. However, bug reporting by the community and bug bounty programs are an additional security benefit, they are not something which should replace or limit the frequency of routine third party audits.
Additional published, third party security audits increase consumer confidence by affirming the already secure codebase of Bitwarden by subjecting it to routine, frequent audits by varied auditors who have dedicated expertise in security.
Thanks for the feature suggestion! For forum reader reference, the full Bitwarden compliance page is located at Compliance | Bitwarden. Rest assured your feedback has been passed along to the team
I also notice that last year’s pen-testing’s (by Cure53) result wasn’t announced specifically (although included in the compliance page), while the previous years’ were. I think it is a good idea to definitely announce it in the blog, and announce it in communities routinely but as widely as possible. It’s good for the users to hear that BW is serious in maintaining the audit schedule and making these as transparent as possible.
This would be a contrast to LP’s claim of being audited but can’t be checked anywhere (on the company’s blog, in the media, etc.)
On that note, did you deny Cure53 the right to publish the full report themselves?
(Usually they add the reports on their website under „publications“.)
