I’ve never heard Full Disclosure concepts applied to serving stolen PII in an API.
The reason is that the purpose of full disclosure is to shame the vendor into ensuring the patch is made, and to warn the user base that the attack is possible, while disclosing a flaw in a commercial product.
In this case, we are not effectively doing either naming or shaming by publishing actual email addresses, rather than just user counts and the type of hashing that was performed.
And at the same time the information being “bartered” is private user information and not merely identifying a flaw in a commercial product.
I fail to see how an API into the HIBP database can be justified under the concept of full-disclosure. Particularly when the service could have been implemented as an email report to the queried email address.
You left out the biggest part of full disclosure in my opinion. The reason for full disclosure is because those who are affected by a security flaw in a product they are using have a right to know about the dangers of that piece of software.
But once I put that down in writing I discovered you are right about the difference in this instance.
The person who has the right to know about the flaw in this instance is the list of people whose accounts were compromised. Giving it to the general public is to further victimize them, rather than help them protect themselves.
I don't think that's the most important part. Rather:
Full disclosure can also protect previously unaffected / potential future customers, by warning them of companies that have been so lax with their security that they've been breached.
So to achieve a comparable upside to full disclosure, HIBP needs to also make aggregate data publicly available. Which they do:
It feels that way, but there is definitely a different utility value in “searchable by the whole world” and “leaked in obscure formats in small nonpublic forums”.
Troy has absolutely added value here, although 100% of the data is all “public” from having been leaked already.
Searching over data that was publicly available some time in the past (but isn’t now) is also a value, sort of like time-shifting of the publicness of the data...
The reason is that the purpose of full disclosure is to shame the vendor into ensuring the patch is made, and to warn the user base that the attack is possible, while disclosing a flaw in a commercial product.
In this case, we are not effectively doing either naming or shaming by publishing actual email addresses, rather than just user counts and the type of hashing that was performed.
And at the same time the information being “bartered” is private user information and not merely identifying a flaw in a commercial product.
I fail to see how an API into the HIBP database can be justified under the concept of full-disclosure. Particularly when the service could have been implemented as an email report to the queried email address.