From d7a93be535e3bc059d5398dfaa3bf948abb317a1 Mon Sep 17 00:00:00 2001
From: jsulederernw <86004721+jsulederernw@users.noreply.github.com>
Date: Fri, 22 Nov 2024 12:00:44 +0100
Subject: [PATCH] mentioning ernw and the respective vulnerability disclosure

---
 Audits.md | 7 +++++++
 1 file changed, 7 insertions(+)

diff --git a/Audits.md b/Audits.md
index 3e4ae3a..d5401d7 100644
--- a/Audits.md
+++ b/Audits.md
@@ -22,3 +22,10 @@ They even have a more detailed ZIP file with all raw information located here: h
 As a reference you can download the report here:
  - [Original - German - Vaultwarden-Passwortmanager.pdf](https://github.com/user-attachments/files/17805671/Vaultwarden-Passwortmanager.pdf)
  - [Translated - English - Vaultwarden-Passwortmanager.en.pdf](https://github.com/user-attachments/files/17805672/Vaultwarden-Passwortmanager.en.pdf)
+
+## Penetration Test by ERNW Enno Rey Netzwerke GmbH
+
+[ERNW Enno Rey Netzwerke GmbH](https://ernw.de) assessed Vaultwarden during a penetration test for a customer in October 2024. In June 2024, the German Federal Office for Information Security (BSI) published results of a static and dynamic test of the Vaultwarden server component. Therefore, only a partial source code audit was performed during the assessment which also focussed on other software and infrastructure. ERNW identified 3 vulnerabilities, including an authentication bypass, that were responsibly disclosed to Vaultwarden. A writeup of the vulnerabilities is described in ERNW's blog Insinuator: 
+
+- https://insinuator.net/2024/11/vulnerability-disclosure-authentication-bypass-in-vaultwarden-versions-1-32-5/
+