bitwarden/server
Maintainers
This page summarises who owns what in the repo, derived from .github/CODEOWNERS. Use it to figure out who to ask when a PR needs review or when a system gets weird.
CODEOWNERS rules are evaluated last-match-wins, so the more-specific a rule is the more authoritative it is.
Default owners
There is no global default owner; CODEOWNERS only applies the rules listed. Files outside any rule fall back to repository-level reviewers.
Teams
| GitHub team | Domain |
|---|---|
@bitwarden/team-auth-dev |
Auth — Identity host, IdentityServer, Sso, login flows, 2FA, login-with-device, key derivation. Owns **/Auth, bitwarden_license/src/Sso, src/Identity, src/Core/Identity, src/Core/IdentityServer, and test/Identity*. |
@bitwarden/team-vault-dev |
Vault — ciphers, folders, attachments, sends. Owns **/Vault. Joint ownership of **/Vault/AuthorizationHandlers with Admin Console. |
@bitwarden/team-admin-console-dev |
Admin Console — organizations, members, groups, policies, SCIM. Owns **/AdminConsole, bitwarden_license/src/Scim. |
@bitwarden/team-billing-dev |
Billing — Stripe / PayPal / Braintree / BitPay, subscriptions, payments, invoices, organization licenses. Owns **/*billing*, **/*stripe*, **/*paypal*, **/*braintree*, **/*bitpay*, **/*subscription*, **/*payment*, **/*invoice*, **/*OrganizationLicense*, **/Billing. |
@bitwarden/team-tools-dev |
Tools — sends, imports/exports, password generator. Owns **/Tools. |
@bitwarden/team-key-management-dev |
Key Management — user-key rotation, KDF, master-password change. Owns **/KeyManagement. |
@bitwarden/team-data-insights-and-reporting-dev |
Dirt (Data Insights & Reporting) — reports, audit-event ingest, integrations. Owns **/Dirt, src/Events, src/EventsProcessor, test/Events*, test/EventsProcessor*. |
@bitwarden/team-platform-dev |
Platform — cross-cutting infra, push, configuration, application cache, build / test workflows, MsSqlMigratorUtility. Owns **/*Platform* and many .github/workflows/*.yml files. |
@bitwarden/team-autofill-dev |
Autofill — StaticStore.cs, GlobalEquivalentDomainsType.cs. (Most autofill code is on the clients; the server contributions are narrow.) |
@bitwarden/team-ui-foundation |
UIF — src/Core/MailTemplates/Mjml. Owns the shared MJML components; other teams own their own template subdirectories. |
@bitwarden/team-sdk-sme |
SDK SME — util/RustSdk (the Rust SDK port consumed by the cipher domain). |
@bitwarden/team-ai-sme |
AI SME — .claude/, .github/workflows/respond.yml, .github/workflows/review-code.yml. |
@bitwarden/team-appsec |
AppSec — Dockerfiles, dockerignore, docker-compose, entrypoints, .checkmarx/. (Joint with Shot.) |
@bitwarden/dept-shot |
Shot — Docker / packaging / OS-level integration. Joint with AppSec on container files. Joint with Platform on util/Setup. |
@bitwarden/dept-bre |
BRE (Build & Release Engineering) — .github/workflows/publish.yml, plus the unowned-but-protected files (every packages.lock.json, Directory.Build.props, .devcontainer/**, dev/docker-compose.yml). |
@bitwarden/dept-dbops |
DBOps — src/Sql/**, every migration script under util/Migrator/DbScripts*, every EF migrations project, scaffold project. |
File-level callouts
| File / path | Owner | Reason |
|---|---|---|
src/Core/Platform/Push/PushType.cs |
No owner (intentional) | Any team adds new push types without needing Platform review. |
.github/workflows/_move_edd_db_scripts.yml |
No owner | Shared CI workflow. |
.github/workflows/release.yml |
No owner | Shared CI workflow. |
src/Core/MailTemplates/Mjml/.mjmlconfig |
No owner | Lets teams add MJML components in their own subdirectories without UIF review. |
Multi-owner rules of thumb
- A vault PR that touches authorization handlers needs both Vault and Admin Console reviewers.
- A Dockerfile change needs both AppSec and Shot.
- A
util/Setupchange needs Shot and Platform. - A migration script lands with DBOps approval; the
MigratorC# project itself is owned by Platform.
When in doubt
- Ask in
#serveron Bitwarden's internal Slack. - For self-host operator-facing changes, also loop in
@bitwarden/dept-shot(they own the bundle). - For changes that touch the public OpenAPI specs, coordinate with the API consumers (Directory Connector, mobile, web vault) — those teams live in sibling repos.
Built by Factory AutoWiki from public repository content. It is a generated preview for codebase exploration, not source-maintained documentation.