is it really FOSS?
Projects About Common Concerns

Bitwarden

A password management solution

Project Website Source Code
Added: 2025-08-04
Last Reviewed: 2025-08-04
Issues exist
There's some FOSS code here, but there are licensing, marketing or transparency issues.
Guidance

Details

The project is provided under a mix of licensing. The main server-side core is provided under an AGPLv3 license, and the core of the client applications is provided under a GPLv3 license, but both elements contain code which is under a non-FOSS BITWARDEN LICENSE AGREEMENT which limits use, modification & distribution. The code under the “BITWARDEN LICENSE AGREEMENT” does appear to be placed in its own seperate directory, and from a basic search the FOSS code is not reliant on the non-FOSS code.

The project has previously made their desktop client dependant on their non-FOSS SDK code although this was addressed. The same issue prevented the Android client being added to the main F-Droid repo.

The project advertises itself as open source, including on its homepage, about page, and on a dedicated page. The official Flatpak package description states “Bitwarden is 100% open source software”.

The licensing of the main provided downloads is unclear. The Linux desktop app Flatpak is labelled as just GPLv3. The license of their deb packages has been queried on GitHub with no official answer. The licensing of their CLI has also been queried with no answer. From looking at the CLI source, there are different build actions for “oss” and “bit” (non-FOSS) possibilities of the CLI.

By downloading their “ghcr.io/bitwarden/api” docker image, and exploring it via a shell, /app/Commercial.Core.pdb and /app/Commercial.Infrastructure.EntityFramework.pdb files could be observed within the container, which align with some of their non-FOSS packages. Further supporting the idea that the default self-hosting option is not soley FOSS-based, is their license guidance which makes it seem like features can be “unlocked” by registering a license key in the self-hosted version.

When self-hosting, Bitwarden requires you to provide your email address to gain an “installation id” and “installation key” from them, which they claim are needed to contact you about security updates, authentication for push notifications, and to validation licensing.

When viewing the Bitwarden offerings, it was not easy to understand which features are part of the non-FOSS offerings only, and therefore what is and what is not FOSS without diving into the codebase.

Bitwarden also have a sub-project Passwordless which they reference as an open source solution. This was queried on GitHub but they still reference the project as open source 2 years later.

The project appears to have raised at least $100m in funding from investors which include PSG and Battery Ventures. The project also appears to gain revenue from providing their software as a service, from selling licenses to extra variations of their software, and from providing support services.

Details last reviewed 2025-08-04. Our reviews are performed manually, without legal expertise, and therefore may be inaccurate or missing detail relevant for your use. Please don't treat this as legal guidance or assurance of any kind.

Found mistakes or outdated information? Let us know by opening an issue on Codeberg.

Related Concerns

Copyleft License with CLA
Creating a silent imbalance of rights between authors and users
Open Washing
Gaining the marketing benefits without providing the freedoms
Open-Core
Projects which have FOSS foundations with non-FOSS additions
VC Funding
Helping growth at the risk of pending change
SSO Tax
Treating authentication as a luxury instead of a requirement
Unclear FOSS Offering
Not being transparent regarding what's FOSS or not