Troy Hunt, the security expert who handles the breach notification website Have I Been Pwned, announced late last week that he is ready to make the code behind the site available in open source.
Have I Been Pwned allows users to verify whether their emails or passwords have been exposed as part of a data breach and has become the place to go for information when massive data breach dumps become public.
Over the past couple of years, the site’s popularity has increased after an API that allows for the fast search of compromised account data from third-party products and services started being integrated into browser extensions, applications, mobile software, notification websites, and the like, including Firefox and LastPass.
Hunt now says that the time has come for the project to evolve into open source, especially given the fact that community contributions to Have I Been Pwned have increased significantly recently.
“Every single byte of data that’s been loaded into the system in recent years has come from someone who freely offered it in order to improve the security landscape for everyone. Many of the services that HIBP runs on are provided free by the likes of Cloudflare,” Hunt says.
He also notes that the community has contributed to the code behind the website as well, either through the use of publicly available content or through direct support for the project.
“The philosophy of HIBP has always been to support the community, now I want the community to help support HIBP. Open sourcing the code base is the most obvious way to do this. It takes the nuts and bolts of HIBP and puts them in the hands of people who can help sustain the service regardless of what happens to me,” Hunt says.
The move to make the code open source would also addresses concerns regarding the manner in which the service runs (such as the fact that it does not log any of the searches), while helping identify people who can help the project evolve, he notes.
Hunt also points out that the process of moving to open source isn’t an easy one, and that the transition will take some time, with support from people who understand what needs to be done, but no timeframe for when the process will be completed has been provided.
“Then there’s the privacy side of it all: my own personal data is in those breaches and your data almost certainly is too because there are literally billions of people that have been impacted by data breaches. Regardless of how broadly that information is circling, I still need to ensure the same privacy controls prevail across the breach data itself even as the code base becomes more transparent,” he also says.