LoginSign Up
← Back to all sparks
B

Bitwarden

DEVOPS
Velocity6.3

Open-source password manager for individuals and teams.

bitwarden.com

Bitwarden is building toward regulated buyers — a Gov cloud region and FedRAMP scaffolding land in 2026.6.1.

enterprisecompliancebilling-migrationauthenticationpost-quantumself-hosting
Current state
Bitwarden's server ships on a roughly monthly cadence, with point releases for stabilization. The current window is dominated by three threads: billing and plan-migration machinery (Stripe subscription schedules, plan migration cohorts, price-increase handling), authentication and encryption modernization (a master-password key-management service, account encryption v2, TDE key rotation, post-quantum ml-dsa44 keypairs), and enterprise administration (organization invite links, provider authorization, SSRF hardening).
Where it's heading
The direction is unmistakably enterprise and compliance. 2026.6.1 adds a US Gov cloud region behind a FedRAMP feature flag, makes WebAuthn available on all platforms, and tightens which report files self-hosted endpoints will serve. Underneath, the team is methodically replacing feature-flagged logic with shipped defaults and rebuilding the billing layer around Stripe's scheduling API — the groundwork for selling into larger, regulated organizations.
Prediction
Expect the Gov cloud region and FedRAMP work to move from flagged scaffolding toward general availability, and the plan-migration billing machinery to keep maturing as Bitwarden transitions existing customers onto new pricing tiers.

Recent moves

  1. 3d ago

    2026.6.1: US Gov cloud region, FedRAMP scaffolding, cross-platform WebAuthn

    ⚡ SPARK

    The release that points Bitwarden at regulated buyers: a US Gov cloud region behind a FedRAMP feature flag, WebAuthn made available on all platforms, additional argon2id prelogin configurations, and stricter serving of validated report files. It fits the enterprise-and-compliance arc the billing and auth work has been building toward.

    View source ↗
  2. 17d ago

    2026.6.0: feature-flag cleanups, no user-facing change

    A cleanup release that removes feature flags for already-shipped work (session timeout, SDK unlock, Send UI refresh, My Items migration) plus minor fixes. Housekeeping that consolidates earlier features rather than adding new surface.

    View source ↗
  3. 29d ago

    2026.5.0: org invite links, .NET 10 upgrade, TDE key rotation

    Incremental but substantive: organization invite-link endpoints, the .NET 10 platform upgrade, TDE user-key rotation, and master-password service foundations. Each advances the enterprise-auth-and-billing arc without redefining it.

    View source ↗
  4. 1mo ago

    2026.4.2: subscription-handling fix plus invite-link and platform work

    Headlined as a subscription fix, but carries the same body of enterprise plumbing as the 2026.5 line — invite links, .NET 10, certificate handling. Release-branch overlap; treat it as continued enterprise hardening.

    View source ↗
  5. 1mo ago

    2026.4.1: post-quantum ml-dsa44 keypairs, SSRF protection, new item types

    Adds post-quantum ml-dsa44 keypair support, secure SSRF protection for internal IPs, and a bank-account item type, alongside heavy feature-flag scaffolding for organization invite links. The post-quantum and SSRF work foreshadow the compliance posture 2026.6 leans into.

    View source ↗
  6. 2mo ago

    2026.4.0: HTTPS deeplink redirect, Stripe schedule API, Send policy consolidation

    Sets up Stripe Subscription Schedule operations, adds HTTPS deeplink redirect for cloud users, and consolidates Send policies into one. The Stripe scheduling groundwork is what the later plan-migration cohorts build on.

    View source ↗