Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add security foundations section #487

Merged
merged 30 commits into from
Jan 31, 2025
Merged
Changes from 1 commit
Commits
Show all changes
30 commits
Select commit Hold shift + click to select a range
648221f
feat: add new security section
coroiu Nov 22, 2024
585c402
feat: port definitions
coroiu Nov 22, 2024
bf8369d
feat: add first principle
coroiu Nov 22, 2024
e65f223
feat: add second principle
coroiu Nov 25, 2024
cebbeb3
feat: add third principle
coroiu Nov 25, 2024
40a8bb7
feat: add note about TEEs to P03
coroiu Nov 25, 2024
6e650d7
chore: change protection > security
coroiu Nov 25, 2024
bcd9467
feat: add forth principle
coroiu Nov 25, 2024
8da13ec
feat: add fifth principle
coroiu Nov 25, 2024
4c755bb
feat: add fifth principle
coroiu Nov 25, 2024
e958797
feat: add an overview page
coroiu Nov 25, 2024
5d8a121
fix: remove repetition
coroiu Nov 25, 2024
3247efe
chore: rename file to match content
coroiu Nov 25, 2024
f9e585d
refactor: use hyphen in title
coroiu Nov 25, 2024
425f808
fix: links
coroiu Nov 25, 2024
e4f44ea
refactor: remove any after comment
coroiu Nov 25, 2024
b4a8c8d
feat: add current version of requirements
coroiu Nov 26, 2024
0222f3f
feat: add introduction to requirement structure
coroiu Nov 26, 2024
663b464
feat: add Client definition
coroiu Dec 10, 2024
aaca302
fix: tweak user definition
coroiu Dec 10, 2024
0373e12
feat: add technical consideration section to P01
coroiu Dec 10, 2024
528330f
fix: clarify which data locking protects
coroiu Dec 10, 2024
d5548f7
fix: typo
coroiu Dec 10, 2024
563e3a7
fix: change `linger` to `not present in memory`
coroiu Jan 9, 2025
83f0d56
fix: re-define sharing to match EA, previous definition of sharing is…
coroiu Jan 9, 2025
8eceee3
fix: font-weight
coroiu Jan 22, 2025
952a43c
feat: add token protected in transit req
coroiu Jan 22, 2025
7de826f
feat: change AT.2 to `must`
coroiu Jan 22, 2025
43c1e0e
chore: move security under architecture
coroiu Jan 27, 2025
43675f6
fix: various copy feedback
coroiu Jan 27, 2025
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
Prev Previous commit
Next Next commit
feat: add an overview page
coroiu committed Nov 25, 2024

Verified

This commit was created on GitHub.com and signed with GitHub’s verified signature. The key has expired.
commit e95879784b60fd7fd7475a8359b21a8b4f9b614e
4 changes: 4 additions & 0 deletions docs/security/definitions.mdx
Original file line number Diff line number Diff line change
@@ -1,3 +1,7 @@
---
sidebar_position: 2
---

# Definitions
coroiu marked this conversation as resolved.
Show resolved Hide resolved

<dl>
39 changes: 37 additions & 2 deletions docs/security/index.mdx
Original file line number Diff line number Diff line change
@@ -4,10 +4,45 @@ sidebar_position: 1

# Security

:::info
The Security section of this documentation outlines the foundational approach Bitwarden takes to
ensure the safety and integrity of user data. It provides a structured framework for understanding
Bitwarden's security philosophy, the principles it adheres to, and the specific requirements it
implements to meet its commitments.

## Conventions

### Key words

The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT",
"RECOMMENDED", "MAY", and "OPTIONAL" in this section are to be interpreted as described in
[RFC2119](https://datatracker.ietf.org/doc/html/rfc2119).

:::
### References

Principles in this documentation are labeled with unique identifiers (e.g., P01, P02, etc.) for easy
reference throughout the document and in related discussions. When referencing a principle, simply
use its identifier (e.g. P01).

Requirements in this documentation use a shorthand format (e.g. XX.N.y) to indicate their specific
location and context (e.g. VD.3.b).

## Structure of the security section

This section is divided into three parts:

1. **Definitions** This part establishes the foundational terminology used throughout the document.
By clearly defining key concepts—such as what constitutes "vault data"—it ensures that the rest
of the document is precise and unambiguous.
2. **Principles** The principles describe the overarching philosophies and commitments that guide
Bitwarden's approach to security. These principles are not actionable rules but rather serve as
the justifications for the requirements that follow. They define what Bitwarden aims to achieve
in its security posture and why certain decisions are made.
3. **Requirements** Building on the principles, the requirements are concrete, actionable steps that
Bitwarden is required to implement. These requirements ensure that the principles are upheld in
practice and provide a measurable way to assess Bitwarden's security efforts.

This structure is meant to avoid unnecessary repetition and establish a logical flow from high-level
philosophies to specific actions. It ensures that every requirement is tied to a well-defined
principle, making it clear why it exists and what it is meant to achieve. The document is designed
for both internal stakeholders and external users who seek to understand the company's security
model.
1 change: 1 addition & 0 deletions docs/security/principles/_category_.yml
Original file line number Diff line number Diff line change
@@ -1 +1,2 @@
label: "Principles"
position: 3