help doc updates

_articles/security/is-bitwarden-audited.md

@@ -0,0 +1,17 @@
+---
+layout: article
+title: Is Bitwarden audited?
+categories: [security]
+featured: true
+popular: true
+hidden: true
+tags: [audit]
+---
+
+Yes.
+
+By making 100% of our source code available under an open source GPLv3 license, our goal is to be as transparent as possible about how Bitwarden works and how it handles your sensitive data. However, we also understand the need for reputable, independent third-party experts to officially audit the Bitwarden codebase.
+
+Bitwarden has received a thorough security assessment and cryptographic analysis by a third-party security auditing firm. You can read more about this security audit [here](#){:target="_blank"}.
+
+Bitwarden also interacts with independent security researchers through our public bug bounty program on [HackerOne](https://hackerone.com/bitwarden/){:target="_blank"}.

_articles/security/password-salt-hash.md

@@ -11,4 +11,4 @@ Yes.
 
 Bitwarden salts and hashes your master password with your email address on the client (your computer/device) before it is transmitted to our servers. Once the server receives the hashed password from your computer/device it is then salted again with a cryptographically secure random value, hashed again and stored in our database. This process is repeated and hashes are compared every time you log in.
 
-The hashing functions that are used are one way hashes. This means that they cannot be reverse engineered by anyone at Bitwarden to reveal your true master password. In the hypothetical event that the Bitwarden servers were hacked and your data was leaked, the data would have **no value** to the hacker.
+The hashing functions that are used are one way hashes. This means that they cannot be reverse engineered by anyone at Bitwarden to reveal your true master password. In the hypothetical event that the Bitwarden servers were hacked and your data was leaked, the data would have **no value** to the hacker.

_articles/security/what-encryption-is-used.md

@@ -9,16 +9,16 @@ tags: [encryption]
 
 Bitwarden uses [AES][aes]{:target="blank"} 256 bit encryption as well as [PBKDF2][pbkdf2]{:target="blank"} to secure your data.
 
-[AES][aes]{:target="blank"} is used by the US government and other government agencies around the world for protecting top secret data. With proper implementation and a strong encryption key (your master password), AES is considered unbreakable.
+[AES][aes]{:target="blank"} is a standard in cryptography and used by the US government and other government agencies around the world for protecting top secret data. With proper implementation and a strong encryption key (your master password), AES is considered unbreakable.
 
-[PBKDF2][pbkdf2]{:target="blank"} is used to derive the encryption key from your master password. This key is then salted and hashed.
+[PBKDF2][pbkdf2]{:target="blank"} SHA-256 is used to derive the encryption key from your master password. This key is then salted and hashed. The default iteration count used with PBKDF2 is 100,001 iterations on the client (this client-side iteration count is configurable from your account settings), and then an additional 100,000 iterations when stored on our servers (for a total of 200,001 iterations by default).
 
-Bitwarden does not write any crypto code. Bitwarden only invokes crypto from popular and reputable crypto libraries that are written and maintained by cryptography experts. The following crypto libraries are used:
+Bitwarden does not write any cryptographic code. Bitwarden only invokes crypto from popular and reputable crypto libraries that are written and maintained by cryptography experts. The following crypto libraries are used:
 
 - JavaScript (web, browser extension, desktop, and CLI vaults)
-  - [Forge][forge]{:target="blank"}
   - [Web Crypto][webcrypto]{:target="blank"}
   - [Node.js Crypto][nodecrypto]{:target="blank"}
+  - [Forge][forge]{:target="blank"}
 - C# (mobile vault)
   - CommonCrypto (iOS, Apple)
   - Javax.Crypto (Android, Oracle)

_articles/security/why-should-i-trust-bitwarden.md

@@ -8,8 +8,9 @@ tags: []
 ---
 
 1. Bitwarden is 100% open source software. All of our source code is hosted on [GitHub](https://github.com/bitwarden){:target="_blank"} and is free for anyone to review. Thousands of software developers follow Bitwarden's source code projects (and you can too!).
-2. We do not store your passwords. We store encrypted versions of your passwords [that only you can unlock]({% link _articles/security/can-bitwarden-see-my-passwords.md %}).
-Your sensitive information is all encrypted locally on your personal device before ever being sent to our cloud servers.
-3. Bitwarden has a reputation. Bitwarden is used by hundreds of thousands of individuals and businesses. If we did anything questionable or risky we would be out of business.
+2. Bitwarden [is audited]({% link _articles/security/is-bitwarden-audited.md %}) by reputable third-party security auditing firms as well as independent security researchers.
+3. Bitwarden does not store your passwords. Bitwarden stores encrypted versions of your passwords [that only you can unlock]({% link _articles/security/can-bitwarden-see-my-passwords.md %}).
+Your sensitive information is encrypted locally on your personal device before ever being sent to our cloud servers.
+4. Bitwarden has a reputation. Bitwarden is used by hundreds of thousands of individuals and businesses. If we did anything questionable or risky we would be out of business.
 
 Still don't trust us? You don't have to. Open source is beautiful. You can easily host the entire Bitwarden stack yourself. You control your data. Learn more [here]({% link _articles/hosting/install-on-premise.md %}).