That was 9 years ago, not "now". BitLocker was the only alternative that they could recommend back then.
It's possible that whatever vulnerability the TrueCrypt developers were alluding to still lurks in the VeraCrypt codebase, but the chances seem pretty low. VeraCrypt uses much stronger encryption methods, it has addressed all the issues raised in the original TrueCrypt audit as well as a separate audit of its own code, and the latest version isn't even backward-compatible with TrueCrypt volumes.
No, recommending bitlocker back then was basically a joke to anyone at that time, an obvious way of telling you something wrong.
The obvious recommendation back then was LUKS. And even if there were no alternatives they're not going to recommend you a proprietary solution with a high chance of being backdoored. They'll just say to use "other software".
The majority of TrueCrypt users were on Windows and needed a GUI. Backdoors or not, BitLocker was the only comparable alternative.
Recommending BitLocker might have been a signal to hackers in the aftermath of the Snowden revelations, but IIRC the announcement also included a detailed tutorial for setting up BitLocker that was actually quite helpful to anyone whose threat model mostly concrerned thieves, corporate spies, and non-Five Eyes intelligence agencies.
This probably has nothing to do with vulnerabilities in the source code, it has to do with the observations that Mounir Idrassi took over truecrypt very fast when it was shut down, yet was not known in cryptography circles prior to this at all, and his company idrix.fr looks a lot like a typical DGSE shell company. It is unclear what kind of contracts it had (if any) before it dedicated seemingly most of its time to Veracrypt.
Of course, it would be the binaries that are problem, if there is one. If you vet the source code and compile it yourself, there shouldn't be any issue. Note that the French government has long history of being anti-cryptography for end-consumers.
I personally wouldn't even touch Veracrypt with a long pole. But that's just my personal opinion.
They audited the source code. I was talking about the executables on their website. Intelligence agencies tend to substitute binaries with compromised executables when they are downloaded by specific targets. We know that's what the NSA was routinely doing (among other things like hardware interception) from the Snowden revelations. There is no reason to believe DGSE works differently. Of course, it is also possible to provide compromised source code to specific targets if necessary.
Replacing binaries for specific targets certainly happens more than one would like. This has even happened specifically with TC and VC files in the past. A mitigating circumstance though with Veracrypt is that the binaries also have detached GPG signatures that one can check against IDRIX's public key to verify that it is in fact what Idrassi has released on the website. It's still possible for actors to tamper with the binaries in other ways even if signed, so it's best to pull from source and periodically check the diffs.
the latest version isn't even backward-compatible with TrueCrypt volumes
Are you sure? I thought it could open them in read-only mode. Here's a 2023 post suggesting it's supposed to still be able to open TC 6.0+ files, though the user in question is having trouble: https://sourceforge.net/p/veracrypt/discussion/technical/thr...
It's possible that whatever vulnerability the TrueCrypt developers were alluding to still lurks in the VeraCrypt codebase, but the chances seem pretty low. VeraCrypt uses much stronger encryption methods, it has addressed all the issues raised in the original TrueCrypt audit as well as a separate audit of its own code, and the latest version isn't even backward-compatible with TrueCrypt volumes.