Skip to main content

Security

Outlines the foundational approach Bitwarden takes to ensure the safety and integrity of user data. It provides a structured framework for understanding Bitwarden's security philosophy, the principles it adheres to, and the specific requirements it implements to meet its commitments.

Conventions

Keywords

The keywords "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this section are to be interpreted as described in RFC2119.

References

Principles in this documentation are labeled with unique identifiers (e.g., P01, P02, etc.) for easy reference throughout the document and in related discussions. When referencing a principle, simply use its identifier (e.g. P01).

Requirements in this documentation use a shorthand format (e.g. XX.N.y) to indicate their specific location and context (e.g. VD.3.b).

Structure

This structure is meant to avoid unnecessary repetition and establish a logical flow from high-level philosophies to specific actions. It ensures that every requirement is tied to a well-defined principle, making it clear why it exists and what it is meant to achieve. The document is designed for both internal stakeholders and external users who seek to understand the company's security model.

Definitions

Establishes the foundational terminology used throughout the document. By clearly defining key concepts -- such as what constitutes "vault data" -- it ensures that the rest of the document is precise and unambiguous.

Principles

Describes the overarching philosophies and commitments that guide Bitwarden's approach to security. These principles are not actionable rules but rather serve as the justifications for the requirements that follow. They define what Bitwarden aims to achieve in its security posture and why certain decisions are made.

Requirements

Building on the principles, the requirements are concrete, actionable steps that Bitwarden is required to implement. These requirements ensure that the principles are upheld in practice and provide a measurable way to assess Bitwarden's security efforts.