[tptacek]

I think Scott knows that most of these other password managers have been audited, and I know he knows audits are of varying quality and are virtually never conclusive, so I'm not sure what he's trying to say by pointing Bitwarden's audit out.

[CiPHPerCoder]

I thought the checklist was aiming to be comprehensive and that the omission of the audits was an oversight.

The one for bitwarden being, as you said, disquieting, makes its omission a little suspicious.

[jik]

We didn't use the word "comprehensive", "complete", or "thorough", and obviously we didn't include every password manager in our evaluation, so I'm not sure what reason you have to believe that we were aiming to be "comprehensive."

We were aiming to evaluate the features / issues we care about against the password managers we were most likely to want to use. We published the results of our evaluation because we thought it might be useful to some people, not because we thought or intended for it to be all things to all people.

We didn't include security audits in our evaluation because, we are skeptical of their value and do not consider them a significant differentiator.

For example, in our experience trying to keep our own application secure, our HackerOne bug-bounty program has identified far more issues than the white-box security audits we've commissioned, at far lower cost.