Open source vs. closed source — what it means for trusting your password manager

Open source is frequently cited as a security virtue for password managers. The claim has genuine substance: a codebase that anyone can read is one that independent security researchers, academics, and motivated users can audit for vulnerabilities, verify the cryptographic implementation, and confirm that the zero-knowledge claim holds in code rather than just in marketing copy. This is different from trusting a vendor's description of their own product.

Closed source is not inherently insecure. SOC 2 Type 2 certification, ISO 27001, and third-party penetration tests provide external verification of security posture without requiring code publication. The question is whether those verification mechanisms provide equivalent assurance to open source code review — and the answer depends on what specifically you want to verify and whether your threat model includes the vendor themselves.

The relevant question is not 'is open source always better' but 'what does open source allow you to verify that closed source compliance certifications don't, and does that gap matter for your situation.'

The assumption 'open source means more people have reviewed the code for security issues' is directionally true but depends on the project's visibility and community engagement. A small open-source project with no active community may receive less security review than a large closed-source product with a dedicated security team and annual third-party audits. Bitwarden's open-source codebase benefits from extensive community review because of its large user base and active security community — that benefit is not automatic for all open-source projects.

A second assumption is that closed-source compliance certifications are sufficient substitutes for code review. SOC 2 and ISO 27001 assess operational security processes, access controls, and incident response procedures. They do not assess whether the cryptographic implementation is correct, whether the zero-knowledge claim holds in the actual code, or whether there are vulnerabilities in the client application. A company can be SOC 2 certified with a flawed cryptographic implementation — the certification addresses different questions than code review does.

A third assumption is that open source eliminates the need to trust the vendor. It reduces the trust requirement but doesn't eliminate it. Published code may not be what's actually deployed in production. Verifying that the compiled binary you download matches the published source code requires reproducible builds, which mainstream password managers have not fully implemented. Open source shifts trust from 'trust us entirely' to 'trust us with production deployment matching published code' — a meaningful but not complete reduction in required trust.

Open source provides specific, valuable verification capabilities: the cryptographic implementation can be verified independently; the zero-knowledge claim can be confirmed in code; vulnerabilities found by external researchers can be responsibly disclosed publicly rather than silently patched; and the community can verify that security-relevant changes are not introduced quietly. These are meaningful properties for a tool that manages credentials for all your accounts.

Closed source with strong compliance credentials — Keeper's FedRAMP authorization, for example — provides government-validated assurance of security processes. This is meaningful in regulated environments where compliance certification is a hard requirement and where the audit process is conducted by accredited third parties with legal accountability. It doesn't provide the same properties as code-level verification, but it provides different properties that matter in specific contexts.

In this comparison: Bitwarden publishes the full stack (clients, server, extensions) on GitHub under open-source licenses. Proton Pass publishes client applications. The remaining four providers (LastPass, Dashlane, Keeper, NordPass) are closed source and rely on compliance certifications for external verification. Both Bitwarden and Proton Pass have supplemented open source with independent audits, which provides the strongest available trust baseline.

Open source is one trust mechanism among several. An open-source project that hasn't been recently audited, has a small maintenance team, or lacks reproducible builds provides less assurance than the 'open source = trusted' shorthand implies. The combination of open source plus regular independent audits plus active community review is the strongest available baseline.