I wonder if that's the case here. I don't work in that space but the issues they found seem like they might be low hanging fruit. I've pasted them below for anyone that's curious.
> The Cross Origin Resource Sharing (CORS) configuration on Bitwarden server APIs allows for any clientorigin to access its endpoints.
> The Content Security Policy (CSP) configuration on the Bitwarden web vault application allows for'unsafe-inline' CSS styles to execute.
That is why it is important the reports from security audits include what was looked for and at least a little detail about how.
If they were appropriately thorough and all they found were low-hanging fruit, then that is a good thing.
Of course a detailed report is no absolute guarantee: we once had a test done that I think was more than shoddy: there was not nearly enough activity on the web server over the testing period for the amount of automated work they claimed to have done, and I spotted an issue a couple of weeks later that at least one of their documented processes really should have picked up on. That company is no longer in business thankfully.
I wonder if that's the case here. I don't work in that space but the issues they found seem like they might be low hanging fruit. I've pasted them below for anyone that's curious.
> The Cross Origin Resource Sharing (CORS) configuration on Bitwarden server APIs allows for any clientorigin to access its endpoints.
> The Content Security Policy (CSP) configuration on the Bitwarden web vault application allows for'unsafe-inline' CSS styles to execute.