Many of these have had audits, not just this Bitwarden audit. There are some disquieting things in that audit, for what it's worth.
I don't understand how this information is actionable. It would be worth knowing whether something has _ever_ been audited (again: most of the major password managers have been), but just knowing an audit has been done isn't sufficient to know whether it's secure.
Sure, but if it has been audited, it's more likely that security issues were found and resolved than if it hasn't gone through one.
Our company went through an audit and did quite well, and we fixed most of the findings. However, I know for a fact that there are things we can do to improve that weren't covered.
Not all audits are created equal, no audit will catch everything, and there's no guarantee that findings were patched sufficiently. However, I feel much better knowing that an audit was done, which means the author cares at least somewhat about security.
I think Scott knows that most of these other password managers have been audited, and I know he knows audits are of varying quality and are virtually never conclusive, so I'm not sure what he's trying to say by pointing Bitwarden's audit out.
We didn't use the word "comprehensive", "complete", or "thorough", and obviously we didn't include every password manager in our evaluation, so I'm not sure what reason you have to believe that we were aiming to be "comprehensive."
We were aiming to evaluate the features / issues we care about against the password managers we were most likely to want to use. We published the results of our evaluation because we thought it might be useful to some people, not because we thought or intended for it to be all things to all people.
We didn't include security audits in our evaluation because, we are skeptical of their value and do not consider them a significant differentiator.
For example, in our experience trying to keep our own application secure, our HackerOne bug-bounty program has identified far more issues than the white-box security audits we've commissioned, at far lower cost.
Did you click on the "full report" links, those are just simple page attestations.
The latest appears to be a private bug bounty program, where 9 high priority issues were discovered.
Who knows what they where, or whether any of the low priority issues should have been classified differently.
Without transparency, we just trust an empty attestation.
I don't understand how this information is actionable. It would be worth knowing whether something has _ever_ been audited (again: most of the major password managers have been), but just knowing an audit has been done isn't sufficient to know whether it's secure.