[beatgammit]

Sure, but if it has been audited, it's more likely that security issues were found and resolved than if it hasn't gone through one.

Our company went through an audit and did quite well, and we fixed most of the findings. However, I know for a fact that there are things we can do to improve that weren't covered.

Not all audits are created equal, no audit will catch everything, and there's no guarantee that findings were patched sufficiently. However, I feel much better knowing that an audit was done, which means the author cares at least somewhat about security.

[tptacek]

I think Scott knows that most of these other password managers have been audited, and I know he knows audits are of varying quality and are virtually never conclusive, so I'm not sure what he's trying to say by pointing Bitwarden's audit out.

[CiPHPerCoder]

I thought the checklist was aiming to be comprehensive and that the omission of the audits was an oversight.

The one for bitwarden being, as you said, disquieting, makes its omission a little suspicious.

[jik]

We didn't use the word "comprehensive", "complete", or "thorough", and obviously we didn't include every password manager in our evaluation, so I'm not sure what reason you have to believe that we were aiming to be "comprehensive."

We were aiming to evaluate the features / issues we care about against the password managers we were most likely to want to use. We published the results of our evaluation because we thought it might be useful to some people, not because we thought or intended for it to be all things to all people.

We didn't include security audits in our evaluation because, we are skeptical of their value and do not consider them a significant differentiator.

For example, in our experience trying to keep our own application secure, our HackerOne bug-bounty program has identified far more issues than the white-box security audits we've commissioned, at far lower cost.