That has nothing to do with it being open source. In close-source systems I've seen penetration testers find security issues that have been present for years despite annual audits during that time. This is one of the reasons why our services get at least annual penetration testing, even the legacy ones that won't have changed since the last test. It is not a bad idea to cycle through providers too, on the off chance that some may use different tooling that exposes certain flaws more readily than the techniques used by others.
Being open source just increases the chance of a problem being spotted if there are sufficiently clue-up people looking. Being open does not at all guarantee that any given problem will be spotted during the normal course of work. Security issues can be dues to combinations of flaws in widely spaced code so even if working directly on one part you might not realise there is an issue in conjunction with another part. That is why it is necessary to have tests/audits like this, for oth open and closed source systems, where someone is task specifically to look for security problems.
It isn't right to criticise Bitwarden for being tested and issues being found (unless those issues are systemic and/or just plain stupid, or you believe the project's response to resolve them is too slow or incomplete). Instead concern should be aimed at security related products that are not regularly subject to external audit at all. Not having any issues because you have not checked for them is a much greater worry!
I think that was the point of the previous comment.
That, despite the software being open-source and therefore more likely to have bugs spotted, and despite having a bug bounty program, the auditing company found a moderate, therefore they must be thorough.
I wonder if that's the case here. I don't work in that space but the issues they found seem like they might be low hanging fruit. I've pasted them below for anyone that's curious.
> The Cross Origin Resource Sharing (CORS) configuration on Bitwarden server APIs allows for any clientorigin to access its endpoints.
> The Content Security Policy (CSP) configuration on the Bitwarden web vault application allows for'unsafe-inline' CSS styles to execute.
That is why it is important the reports from security audits include what was looked for and at least a little detail about how.
If they were appropriately thorough and all they found were low-hanging fruit, then that is a good thing.
Of course a detailed report is no absolute guarantee: we once had a test done that I think was more than shoddy: there was not nearly enough activity on the web server over the testing period for the amount of automated work they claimed to have done, and I spotted an issue a couple of weeks later that at least one of their documented processes really should have picked up on. That company is no longer in business thankfully.
If you were selling bogus report results for clients you'd still include a non-major thing or two. Gives a better impression of legitimacy than full marks across the board.
Being open source just increases the chance of a problem being spotted if there are sufficiently clue-up people looking. Being open does not at all guarantee that any given problem will be spotted during the normal course of work. Security issues can be dues to combinations of flaws in widely spaced code so even if working directly on one part you might not realise there is an issue in conjunction with another part. That is why it is necessary to have tests/audits like this, for oth open and closed source systems, where someone is task specifically to look for security problems.
It isn't right to criticise Bitwarden for being tested and issues being found (unless those issues are systemic and/or just plain stupid, or you believe the project's response to resolve them is too slow or incomplete). Instead concern should be aimed at security related products that are not regularly subject to external audit at all. Not having any issues because you have not checked for them is a much greater worry!