Hunt noted there were a few reasons for this, including the prevalence of open source projects and the fact Have I Been Pwned has always been “open in spirit.” On a practical level, it’ll enable others to fix bugs and implement ideas that he’s not necessarily able to.
It’ll take some time to fully open up the code base, and Hunt plans to do so gradually. “The transition from completely closed to completely open will happen incrementally, bit by bit and in a fashion that’s both manageable and responsible,” he wrote.
It’s a complex process, especially when you consider the highly sensitive troves of data that make Have I Been Pwned an important service. While much of that data is already in the wild, Hunt said he needed to ensure “privacy controls prevail across the breach data itself even as the code base becomes more transparent.”
Some other services, particularly password managers, also help people monitor whether their data or credentials have been included in a breach. Still, Have I Been Pwned is perhaps the best-known such resource, allowing people to search find out whether their email address is among billions of records from hundreds of data breaches. Taking steps to ensure it’ll remain available in the long run is a welcome move on Hunt’s part.