Skip to main content

Security

The Security section of this documentation outlines the foundational approach Bitwarden takes to ensure the safety and integrity of user data. It provides a structured framework for understanding Bitwarden's security philosophy, the principles it adheres to, and the specific requirements it implements to meet its commitments.

Conventions

Key words

The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this section are to be interpreted as described in RFC2119.

References

Principles in this documentation are labeled with unique identifiers (e.g., P01, P02, etc.) for easy reference throughout the document and in related discussions. When referencing a principle, simply use its identifier (e.g. P01).

Requirements in this documentation use a shorthand format (e.g. XX.N.y) to indicate their specific location and context (e.g. VD.3.b).

Structure of the security section

  1. Definitions This part establishes the foundational terminology used throughout the document. By clearly defining key concepts—such as what constitutes "vault data"—it ensures that the rest of the document is precise and unambiguous.
  2. Principles The principles describe the overarching philosophies and commitments that guide Bitwarden's approach to security. These principles are not actionable rules but rather serve as the justifications for the requirements that follow. They define what Bitwarden aims to achieve in its security posture and why certain decisions are made.
  3. Requirements Building on the principles, the requirements are concrete, actionable steps that Bitwarden is required to implement. These requirements ensure that the principles are upheld in practice and provide a measurable way to assess Bitwarden's security efforts.

This structure is meant to avoid unnecessary repetition and establish a logical flow from high-level philosophies to specific actions. It ensures that every requirement is tied to a well-defined principle, making it clear why it exists and what it is meant to achieve. The document is designed for both internal stakeholders and external users who seek to understand the company's security model.