Should survey results such as these be of concern to Bitwarden users?
Thanks for sharing @Homer712, I’ll pass it along to the team
Very interesting read, thanks for sharing!
I think the only results this should concern Bitwarden users with is how few companies see the value of open source.
Some of the points made in the article are valid, though the fact that open-source software has more dependencies and takes longer in development sometimes could be a concern. Though the same goes for many closed source projects on the flip side I would say, just because a piece of software is closed source does not mean it doesn’t use any open source dependencies. In fact the nature of closed source means that we don’t know what or how many possible dependencies or possibly vulnerabilities some software may have.
This could be seen as a good and a bad thing, as if there is a vulnerability then in a closed source software that vulnerability may not be noticed and be patched by the company prior to being used in a zero-day exploit.
That same vulnerability may also never go noticed by the devs and could very well sit and possibly be exploited in the wild without any customer using that product being the wiser.
I believe the key in business and even for consumes is transparency.
NIST describes this well as information assurance which is the concept of assuring data integrity along multiple measures.
I don’t believe that open-source is the solution to everything, and there are several open-source projects out there that simply are very small and have a low or inexperienced developer, have a low user base, use older dependencies and are not maintained. There are also many closed source products that are very mature, well vetted, and have stood the test of time and more over a constant barrage of attacks from security researchers and others.
Both closed-source and open-source have their merits, but being open-source is definitely a plus in my book.
Bitwarden as a company is very transparent, they have completed multiple 3rd party security audits which also includes an in depth code review by Cure53, and also participates in a bug bounty program via hackerone.
More details and further information can be found here,
There are a few other good companies that provide this much data and information to their users. Most closed source companies may have a third party audit but will not tend to release the write-up publicly though. So at a minimum if I am using a critical software either for myself or business,IMHO I believe that this level of transparency and commitment to constant improvement and security should be paramount to business.
@cksapp Thank you very much for the very detailed response. I have just recently come over to Bitwarden from 1Password, which I used for many, many years. The latest release just made the app (IMO) basically unusable, at least for me. I researched many password managers and settled on Bitwarden for a number of reasons, but mostly that, to quote Steve Jobs, “It just works.”
My understanding of “open source” software is most probably overly simplistic. I imagine a bunch (I’m sure there is technical nomenclature other than “bunch”) of code, open to the public. And my initial reaction to the article I posted a link to, was that if anyone can review it, what’s to stop someone from modifying parts of it, loading it onto the Bitwarden servers, and having a go at the user base. Like I said, a very simplistic understanding at best.
Your comprehensive explanation and references have put my mind at ease. Thank you!
Hey @Homer712 rest assured that community code contributions (just like internal code) are carefully vetted and undergo layers of approval and code scanning before being merged with the main branch. Regular third party audits, partnerships with security researchers and compliance with international standards also ensure that open source at Bitwarden is synonymous with trust