Audits can be hit and miss, I’ve seen high quality code review companies just miss major and obvious mistakes in the security by simply not tracing the execution logic step by step in critical code sections and instead just scan the code for common known mistakes based on code fragment matching.
The same could be said for proprietary applications, which may never see third party audits because 'meh, customers have no access to our source and IP protection or something'
They're 'paying' you by being part of a movement to improve society for everyone; which includes free use of their software.
Sure, you can't eat that, but man does not live on bread alone.
You'd tell a neighbour if they'd accidentally left their car door open, wouldn't you? Most people would even shut the door if they weren't around. Same principle.
> Most people would even shut the door if they weren't around. Same principle.
This is a poor example because finding bugs requires a lot more effort than giving a door a push (which I find a little spurious - I wouldn't touch my neighbours' car).
There is in practice an almost infinite amount of things you can donate time to and all else being equal (for example, they're all password managers) I doubt you'll convince most people by telling them they should do it because "it makes things better for everyone", they could be making everything better for everyone and still getting paid - that's the superior option. Even if I think you are correct.
I appreciate that they have a good way of contacting them with security issues, and if I found any by accident or used to tool daily myself I might report stuff. However, I will not dedicate time hacking something I do not use myself, to report stuff for free.
[0]: https://cdn.bitwarden.net/misc/Bitwarden%20Security%20Assess... [1]: https://hackerone.com/bitwarden