I actually came here today to post a thread like this and I’m glad to see someone else already did.
I work at a small MSP and after years of using Bitwarden Personal with great satisfaction, I pushed to make it our org-wide password manager and also to get us in the MSP program to resell it to clients. Since then, we’ve run into a number of bugs that should not have gotten past QA such as:
- Desktop app Windows Hello authentication straight breaking.
- MFA tokens going out of sync with time and not working for several of my techs.
- The extension no longer showing a matching cred count on web sites. This is still ongoing.
- Bitwarden CLI suddenly requiring me to re-enter my master password before every single operation it’s asked to do in a script. This started randomly and got escalated all the way to one of your engineers who was great to deal with, but who literally couldn’t find the cause. This is still ongoing.
- The clickjacking vulnerability that was just recently revealed.
This type of glacial feature development and sloppy QA is not becoming of a product that is trying to sell to businesses and has Enterprise in its name. If not already underway, Bitwarden needs to undergo a thorough internal process review and needs solid, immutable, transparent QA processes. As the OP asked, having an LTS branch, along with Stable or potentially even Canary branches would not go amiss either.
I really like BItwarden in general, but I get questions from both clients and my management about things like the above because if they cause us headaches as IT pros, we can only imagine what it would be like for end users trying to do the same. Convincing clients to onboard to a password manager is a challenge unto itself, but trying to get them to stick with it when bugs and frustrations like this keep coming up is borderline impossible.
I can’t convince my management to stick with the product indefinitely while this continues and if the product I pushed for ends up having to get replaced because of it, I will be very upset at taking the reputational hit because of a vendor’s sloppiness. These types of procedural growing pains aren’t unheard of in small companies (we’ve had them ourselves), but when you’re selling a critical security service, a cut above that is needed.
To conclude, I’m asking you guys please, you have a great product, just please get your process house in order.