Have I Been Pwned to release code base to the open source community
Data breach and record exposure search engine Have I Been Pwned is going open source.
Developed and maintained by security expert Troy Hunt, the search engine has become increasingly popular over time as the volume of reported data breaches ramped up, prompted by legislation and demands for transparency by companies suffering such a security incident.
When data breaches occur, financial records, sensitive corporate information, as well as personally identifiable information (PII) belonging to customers and clients, may be compromised or stolen. Data sets often appear for sale in the Dark Web for the purposes of card cloning or identity theft.
TechRepublic: The secret to becoming an open source project lead
Members of the general public can submit their email addresses into the Have I Been Pwned search engine to find out if they have been “pwned,” and if their emails have been linked to a data breach, each one and a summary of what happened is displayed — as well as what information has been exposed.
Since its launch in 2013, Hunt has poured more resources, including time and energy, into managing the search engine over time, expanding the service to include domain monitoring and breach alerts.
At the heart, one main operator isn’t enough to ensure future scalability or sustainability, and with this in mind, Hunt previously attempted to find a buyer to help expand his life’s work.
Unfortunately, the merger and/or acquisition process failed, and so Hunt has decided to pursue another alternative — opening up the Have I Been Pwned code base to the open source community.
In a blog post on Friday, Hunt said that Have I Been Pwned has always been a community project, with every dataset contributed by others; Cloudflare providing free hosting for many of the search engine’s services, and code used by Have I Been Pwned drawing upon community contributions.
“The single most important objective of that process was to seek a more sustainable future for HIBP and that desire hasn’t changed; the project cannot be solely dependent on me,” Hunt says. “Yet that’s where we are today and if I disappear, HIBP quickly withers and dies.”
By going open source, Hunt says this will take the “nuts and bolts” of the service and “put them in the hands of people who can help sustain the service regardless of what happens to me.”
Have I Been Pwned was developed to improve the security landscape and give individuals impacted by a data breach the knowledge required to potentially improve their own security posture — such as by changing passwords linked to compromised accounts and to hammer the lesson home that passwords should not be re-used across different services.
With this in mind, going open source would also contribute to this concept by opening up code to other eyes — increasing trust through transparency, and also potentially improving the platform’s own security via the discovery of vulnerabilities.
“All that backlog, all those bugs, all the great new ideas people have but I simply can’t implement myself can, if the community is willing, finally be contributed back into the project,” the security expert added.
Have I Been Pwned can’t simply be dumped on GitHub in its current state. Hunt is working with talent across open source and cloud systems to open up the code base incrementally, and so there is no fixed timeline for the platform to go fully from closed to open.
When it comes to the data, even possessing it is a gray area, albeit one with value as a necessary element of the Have I Been Pwned platform. Hunt says that as the open source quest begins, it will be a challenge to make sure stringent privacy controls are in place, a doable but “non-trivial” task.
“I’ve used the word “community” a lot […] and I can’t understate the importance of the role other people have played in the project’s success,” Hunt says. “I know this […] will be met with much enthusiasm because that’s what many of you have been telling me to do for a long time. I’ve listened, now it’s time to make it a reality.”
Previous and related coverage
Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0