Bitwarden believes that working with security researchers across the globe is crucial to keeping our users safe. If you believe you've found a security issue in our product or service, we encourage you to notify us. We welcome working with you to resolve the issue promptly. Thanks in advance!

Response targets

Bitwarden will make a best effort to meet the following response targets for hackers participating in our program:

• Time to first response (from report submission): 3 business days
• Time to triage (from report submission): 5 business days
• Time to bounty, if applicable (from triage or resolution, depending on the finding): 5 business days
• Time to resolution (from triage): Varies by severity, anywhere from 1-90 business days

We'll keep you informed about our progress as appropriate throughout the process.

Disclosure policy

• Let us know as soon as possible upon discovery of a potential security issue, and we'll make every effort to quickly resolve the issue.
• Provide us a reasonable amount of time to resolve the issue before any disclosure to the public or a third-party. We may publicly disclose the issue before resolving it, if appropriate.
• Follow HackerOne's disclosure guidelines.
• If you would like to encrypt your report, please use the PGP key with long ID 0xDE6887086F892325FEC04CC0D847525B6931381F (available in the public keyserver pool).

Program rules

• Please provide detailed reports with reproducible steps and an accompanying proof-of-concept. If the report is not detailed enough to reproduce the issue, the issue will be closed.
• Use the built-in calculator for the severity of your reported finding; do not submit findings with general or undefined severity values.
• Submit one vulnerability per report, unless you need to chain vulnerabilities to provide impact.
• Social engineering (e.g. phishing, vishing, smishing) is prohibited.
• Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with the explicit permission of the account holder.

In-scope

Security issues in the current release of all Bitwarden products, including Bitwarden Password Manager, Bitwarden Secrets Manager, and Bitwarden Passwordless.dev. This encompasses all clients, including the web app, browser extension, mobile apps (iOS and Android), desktop app, CLI, and SDKs, as well as server-based code. Product downloads are available at https://bitwarden.com. Source code is available at https://github.com/bitwarden.

Out-of-scope

The following classes are out-of scope:

• Authorization state and session expiration on bearer tokens e.g. using a still-valid token after authorization changes elsewhere
• Bugs that are already reported on any of Bitwarden's issue trackers or that we already know of; note that some of our issue tracking is private
• Issues in an upstream software dependency (e.g. ASP.NET) that are already reported to the upstream maintainer
• Attacks requiring physical access to a user's device
• Self-XSS
• Username / email enumeration
• Issues related to software or protocols not under Bitwarden's control
• Vulnerabilities in outdated versions of Bitwarden
• Missing security best practices that do not directly lead to a vulnerability
• Missing HTTP security headers, e.g. Strict-Transport-Security, X-Frame-Options, X-XSS-Protection, Content-Security-Policy, etc.
• CSV injection
• Lack of Secure / HTTPOnly flags on non-sensitive cookies
• Issues that do not have any impact on the general public
• Any activity that could lead to the disruption of our service (DoS)
• Content spoofing and text injection issues without showing an attack vector/without being able to modify HTML/CSS
• Rate limiting or brute-force issues on non-authentication endpoints
• Issues that require unlikely user interaction
• Unencrypted authentication tokens
• KDF count disclosure on the /prelogin server API
• Race conditions affecting business logic
• Exposing "hidden" passwords through client-side manipulation
• Client manipulation or other techniques that lead to the use of premium features not otherwise enabled or allowed
• DMARC, SPF, or other email server or DNS configuration settings and policies
• Broken links
• Recommendations or concerns over sweeping areas of the application’s architecture and/or design
• Scenarios that are extremely complex, difficult, or unlikely when utilizing already compromised administrative accounts, self-hosted server, networks, or physical devices which would render much easier, and alternate means of compromising the data contained within Bitwarden

While researching, we'd like to ask you to refrain from:

• Denial of service
• Spamming
• Social engineering (including phishing) of Bitwarden staff or contractors
• Any physical attempts against Bitwarden property or data centers

Additionally, if you have access to or are aware of leaked sets of credentials that may affect Bitwarden users, please contact us and we will work with you on remediation.

A note on rate limiting

There are rate limiting controls present on the application, so be careful in running scanners or anything that might send an excessive number of requests and add additional wait times to your testing. * If you exceed the rate limit too often your IP will be banned. For this program we request that you submit flaw hypotheses for any enumeration vulnerabilities you believe you have found.

Test plan

• Please use your @wearehackerone.com email alias when signing up for an account.
• For Enterprise access for testing, please create a test organization that is separate from any personal account, then contact us to upgrade.

We want to help you!

If you have something that you feel is close to exploitation, or if you'd like some information regarding the internal API, or generally have any questions regarding the app that would help in your efforts, please contact us and ask for that information. As stated above, Bitwarden wants to help you find issues, and is more than willing to help.

If you feel you have a history of quality reports under this program and should be invited to our private bounty program, please reach out.

Thank you for helping keep Bitwarden and our users safe!