Open-Source: Can Bitwarden be exploited?

I am not an expert in programming or things like that, but the thought of Bitwarden, a well-known and free Open-Sourced password manager, is openly displaying it’s behind-the-scenes magic to the public is intriguing me. I ask this question: What if hackers analyze the source-code and use it to exploit the mobile and desktop apps? Yes, there’s top notch security, but it may as well be a possibility. Every service has a vulnerability.

You also have the benefits of security researchers able to audit the code and warn the team + propose the fix that would solve the issue :slight_smile:
Furthermore, developers are able to improve the product by submitting code changes that are reviewed by Bitwarden team before integration.

2 Likes

Security through obscurity is not security at all.

2 Likes

Open Source is more secure than closed source.

You just never hear of the closed source apps being hacked until 5 years later when someone leaks the fact that they got hacked and leaked tons of user data 5 years ago woops!!!

That’s what the GDPR was designed to stop.

You think that open source is easier to hack because everything is public from day one, when in actuality all these websites and apps you’re using are leaking your data and never telling you about it. (I personally don’t think GDPR will change that)

3 Likes

I am new to BW and I really have the same question in my mind: was there any official code audit yet?
Means: there are companies that do code audits, has this be done for the BE code?
If not: what about a Kickstarter campaign (I would donate)?
I know from my ISO at work that he sometimes mandates a company to review the code of an application.

And what about a bug-boounty program?

Did I mention that I love BW and that I want to support it with my Suggestions?
And that I plan to switch from KeePass if some more features are implemented?

As mentioned here and here.

If I understood there are donation requests but this is not possible yet…
@kspearrin What about a Kickstarter campaign to collect money for an official code audit?

I would donate USD 50 for a code audit (security review).
Really!

We are scheduled with Cure53 for later this year to perform a complete audit of the backend server (core), web vault, desktop apps, browser extensions, and jslib (the library that powers most of our client apps).

https://github.com/bitwarden/core/issues/27

1 Like

Cool, the results are helpful to convince colleagues and to introduce Bitwarden in companies.

Any results of the audit yet available?

2 Likes

Thank you @kspearrin
Good to see that no major issues were identified during this audit and that all impactful issues have already been resolved in recent Bitwarden application updates