I appreciate what HIBP does, but I believe it serves Troy's personal brand more than it would any corporate owner. The biggest issue is the data is super stale. Things regularly pop up in SpyCloud 6-12 months before HIBP, and as a result they are a much more attractive acquisition target.
There is also an unreasonable dependency on CloudFlare kool-aid for HIBP and his other services. I reached out to Troy about sponsoring Report-URI because it was a service I believed benefitted the internet. In response I received a snarky response about how I didn't understand how web-scale CloudFlare was, when I was effectively offering to cover all the companies infrastructure costs for the foreseeable future (multiple dozens of servers and XX Gbps of bandwidth).
> There is also an unreasonable dependency on CloudFlare kool-aid for HIBP and his other services.
How it is unreasonable? Do you criticize the hosting platform / cdn of every service you use?
CF has been a huge help to Troy with optimizing caching and helping him with the k-anonymity setup to make the scale of HIBP possible with less infrastructure. Their network is top notch (sub 10ms for most population centers) and they are trying to give back to the broader community by donating the bandwidth and cache to greater good projects like this.
If your whole raison d'etre is to be a trusted source on privacy and security matters, then putting yourself in a position where you can't speak objectively about the organisation that controls 10% of the internet's traffic is massively compromising that. I'm sure Hunt will do his best, but how could anyone possibly make a fair judgement of something controversial like "Flexible SSL" when his livelihood is dependent on them?
I am sure that literally any one of our competitors would give Troy their service for free. He's free to leave whenever he wants. And he's 100% free to criticize us while remaining a customer.
I love that you're here ... and as transparent as possible. Thanks for the work you do in keeping the Internet running (and as far as possible - "safe".
HIBP's M&A process & Troy's hurdles in running HIBP highlights two fundamental points of friction in running a single person company.
Reg. Value of a single person company.
>This was another really unexpected part of the experience - how people perceived me personally and put a value on my brand.
May be Troy really didn't expect that only person running an entity to be bought would be valued, sometimes even higher than the product/service itself; but it also needs to be understood that the company which is willing to buy an entity for a single person is undertaking an extraordinarily huge risk due to the Bus factor.
Reg. Compliances of a Business when running as a single person.
>I still manually verified every breach, hand edited every logo of a pwned company, issued (and chased) every invoice, did the tax returns and prepared the business activity statements.
At-least Troy seems to be located in a jurisdiction with straight forward business regulations. May be, most of the compliances could be automated.
There are countries out there where companies, even if run by a single person needs to comply with literally hundreds of regulations, with a new one popping up each month all to benefit the corrupt bureaucracy i.e. If you want to comply every regulation there, you still need to bribe. But the system and people who help with such regulations(auditing, lawyers) favour those who don't comply just because of larger bribes! So, even if you automate every other part of our business, you cannot automate out of corrupt bureaucracy.
M&A is one of the fundamental hurdles in a single person company, although there are other advantages such as freedom, cost-benefit etc.[1]
Sorry, but the more I read this, the more I feel like KPMG is the main reason for the failed process...
> And so in September, we granted exclusivity to a bidder. (...) And so began the extensive due diligence. KPMG had warned me about this phase right at the beginning of the process and from memory, the word they used was something akin to "onerous".
You're supposed to have your ducks in a row before you launch the process, not after. As you're drafting your IM, you should also be preparing a virtual data room with as much data as you reasonably expect to be asked, and board minutes are the absolute minimum that any advisor should know...
> Among literally thousands of other requests (seriously - the total number was four figures)
And you don't have to respond to all of them! You can answer any request with "The company believes this can be answered as a matter of confirmatory diligence"
From literally dummies.com[0]
"Sellers can’t be afraid to remind Buyers that due diligence is confirmatory in nature, meaning Buyer should spend the time confirming Seller’s information and not planning, creating, and combining the two entities. The Buyer should take care of post-closing activities after closing! Otherwise, due diligence will drag on longer than necessary."
I also distinct got the sense that KPMG bungled this process. They seemed to bafflingly parlay Troy's position of strength into a position of weakness. Of course, all they really cared about was the bill at the end!
If your company is getting shopped to 43+ other companies, it's not a very strong position. This seems like KPMG responding to their incentives: sell the company and make like $250k, or don't sell the company and make "the biggest bill I've ever paid in my life".
I'm curious if Mr. Hunt has ever been through either side of a diligence process.
Everything in his list sounds like what you need to check the audit and compliance boxes at any "real" company. I've been through a dozen audits from prospective _customers_ that are worse than his description, even apart from our internal audits, so if someone was going to buy a company I'd expect essentially a superset of BS from all of those different inquiries. You sometimes answer the audit optimistically, then use that as your framework to write the policies and figure out how you're going to implement them before you submit your response. "How do you sanitize media for disposal?" "Oh shit, I guess we need a document that says how we dispose of media." - problem solved!
Yeah, it's rough. KPMG should have done their own diligence to see that he wasn't serious - if you're not willing to jump through some of those hoops then you're not ready for a big-boy company.
Agreed. I really feel for Hunt because the process surely is exhausting for anyone, let alone a sole business owner. But I have to wonder what he expected when he started to go down this path. It sounds like KPMG may not have adequately prepared him for this, or (based on my experience with consultants similar to KPMG) they probably assumed that he knew what he was getting himself into (he apparently did not).
That said, I don't put all of the blame on KPMG. It takes only a few minutes searching on the internet or speaking with advisors to learn that shopping for a buyout is a long, extremely hard process. In particular, I couldn't help but audibly laugh at Hunt's seeming incredulity at the request for "Documentation of the Company's technical operations". Hunt is trying to sell a tech company whose primary business value comes from the technical infrastructure, operations, and data. I don't want to sound too blunt, but...no fucking shit the buyers are going to want to know about his technical processes and infrastructure. Did he seriously think someone would even think about buying HIBP without investigating exactly what technical stack and data they are buying? Even for companies where the value isn't as based in the tech processes, nobody wants to buy a pile of steaming spaghetti code.
It should be common sense that this is the type of information that buyers would ask for. This list of tech processes and documentation of infrastructure is something that should have been put together first thing before Hunt even started shopping around.
I don’t think he actually wanted to sell HIBP. He was way more focused on providing detailed constraints for the future of how it should be run, than in listing its assets and how those might benefit the future owner.
I think what Troy actually wanted was resources and support and management for his vision of the future HIBP. That’s not usuallY what a sale is, and it sounds like he paid a lot to learn that lesson.
It seems to me like Troy treats HIBP as a mission, not a business, and in the US at least, a nonprofit would be an option to organize financial resources around a mission. As a private company, he could seek investment from like-minded folks with deep pockets, but that would likely come with external pressure to show a profit.
It may be because he cannot speak towards the specifics of the deal, but I truly hope there was a breakup clause.
For those un-aware, M&A deals eventually go exclusive which, as this post points out, is very very time consuming, which means expensive. Those who are involved in the deal itself, very little work gets done that runs the business.
So to protect against the downside for the company getting purchased, a break up clause to give them cash if the purchasing company does not follow through.
Only companies with in great negotiating positions can command these things, but sounds like Troy was in a great position when looking at the initial 43 buyers.
Does anyone here have a story about a startup operating at Troy Hunt's (tiny) scale actually getting a breakup fee? I've been through a couple acquisitions now and I've never even heard of someone getting a credible binding breakup clause.
I negotiated the acquirer paying all legal fees and for our time. We were tiny. It worked out. Like others said, spent a lot of time drafting superfluous policy docs in response to requests for copies...
Yeah, all I can say is "ouch." I went through a very similar courtship process with a large tech unicorn and luckily my outcome was good, but halfway through the process I basically had to ask them to give me 5 figures in legal fees because I was paying a huge bill to attorneys and the power dynamics between single person startup and unicorn are huge. They were spending 6 figures on attorney fees and I was spending a smaller multiple, but as a single person startup.
I hope he got good advice, because this sounds really bad. HIBP is an amazing resource, and should easily command an 8-9 figure exit for the founder. It's disappointing to learn that the one suitor he settled on ended up being a dud.
> I kid you not, was in a meeting at [big tech company] HQ in [HQ location] and a comment was made to the effect that "there is only one service they trust as a white hat (Troy and HIBP) and I'm like "fuck how does one guy corner the market on trust?"
Damn that sounds like an incredibly exhausting experience, and all he got out of it was... a hugely expensive bill.
All I can say is props to him to keeping his principles, I really hope he's be able to grow HIBP into a sustainable gig for himself and a small core team.
This whole things seems extremely naive and almost like a different Troy Hunt...
Why KPMG? Their competence is below average for an above average price hiding behind a big corporate name. Why answer thousands of questions, the majority could have just been a copy paste one liner. You're selling a side gig, not a massive company. Also why selling it in the first place and then not wanting to give up control by limiting how the buyer can/wants to do with HIBP? If he didn't want to give away control then don't sell, find investment, find sponsors, find a business model which pays the bills and allows you to hire staff so you can scale it yourself. Decide what you want first :)
EDIT:
I think the increasing exposure and interest in HIBP has made Troy fantasize about a potentially nice cheque which a buyer could write him which could put him into early retirement, but then he realised two things along the process which made him change his mind on selling:
- HIBP is not really worth the amount that could retire a family (interest <> value, website hits <> value, etc.)
Troy is not primarily motivated by money anymore; he has plenty [1]. What's most important to him is that HIBP is run the way he wants it run, but with more resources than a single person can offer. He's willing to pay the "biggest bill in his life" in order to preserve that vision, which honestly just increases his reputation as a person you can trust. He can make those kinds of decisions because money is not the main issue.
I don't think the fact that KPMG ran it is necessarily the key thing here.
I have a perennial objection to the "Silicon Valley Way" where you try to build a scalable product or service and immediately look for funding (and later a buyer).
Normal companies just start. And try to be profitable quickly. I think this is probably the issue as well that Troy eventually found there. I think he should really be thinking: "What is my service and what is my product, and what is the 80-20 of where my product is worth the most."
And I don't mean dumb things like ads. I think he should be doing custom services for big companies that care about security.
To give an example, he probably can help a lot of big companies just with their authentication policies. Accountants are ignorant about these things and maybe he could for example be asked about when to use a password and when to use some kind of token, how to setup access to EC2 or Azure virtual machines and things like that.
I know these in principle should be simple. But the man is a rock star and should be able to cut through a lot of the bureaucratic BS.
> I don't think the fact that KPMG ran it is necessarily the key thing here
Agreed, and I also didn't mean to suggest that, but I am still surprised that Troy made of himself such a fool by hiring KPMG for really anything. He's a tiny one person business/sole trader, there is absolutely nothing which KPMG could do for him which another professional couldn't have done much more effective, cheaper and faster.
KPMG are most foremost sales people. They did what they are trained well to do, make him feel bigger than he is. "Why don't we introduce you to our <whatever we wanna rip you off with> team", "have a seat mr. hunt", "want a galss of this amazing champage whilst my sexy secretary calls for the big boss to talk to you?". LOL They totally got him. I'm sorry but that's really really foolish and I sort of lost a bit of respect for him there as soon as he mentioned KPMG ¯\_(ツ)_/¯
> Apparently, the way these M&A processes run is that as you really get down to the wire with the final bidders, eventually someone will ask for exclusivity. This grants them a window of time in which they can do extensive due diligence to the exclusion of all other bidders.
This is not always the case, and it's certainly not a requirement to get a deal across the finish line. More frequently, you'll select from the list of buyers who provided credible non-binding offers – presumably those with good strategic fit / rationale for the acquisition and that can provide certainty that they have the funds available to do the deal (e.g. they have the pile of cash and their board has already approved the acquisition.
Then you give that select list of final bidders more access to management, including below C-suite (i.e. the opportunity to ask technical questions to engineers and middle managers to really understand what makes the business what it is) and set a deadline for final, binding offers, of which you will choose that which creates the highest value to shareholders.
Exclusivity means betting all your money on one horse, and it can make sense in some instances, but preferably conditional on someone making a huge offer that you believe is bona fide and hopefully before you launch the broad process (140+ buyers, in this case) i.e. they are trying to preempt the process and are willing to pay up, and in return for sparing you the publicity / distraction / exhaustion from running the sale process, you grant them exclusivity.
According to the post which introduced the project be was already using them and they referred him internally
Back in April during a regular catchup with the folks at KPMG about some otherwise mundane financial stuff (I've met with advisers regularly as my own financial state became more complex), they suggested I have a chat with their Mergers and Acquisition (M&A) practice about finding a new home for HIBP. I was comfy doing that; we have a long relationship and they understand not just HIBP, but the broader spectrum of the cyber things I do day to day.
> I'm surprised anyone would contact KPMG for M&A at all, in that they're primarily an accountant
They have other business lines. But they aren’t notable. If you’re a top M&A banker, or even the best in a small niche, you’re at a bulge bracket or a boutique. Not KPMG.
I think it's worth noting that Troy may have wanted a firm with a global presence given that he's based out of the Gold Coast. The firms with big M&A reps in the USA don't necessarily have that same rep or presence down here, particularly in Brisbane.
> Troy may have wanted a firm with a global presence
Troy is a deliberate thinker. I'm not second-guessing his choice.
The top M&A bankers in Australia are routinely one of a Swiss bank, an American bank and/or Macquarie [1]. The global banks are known as such because they have uniquely global reach. They're also uniquely expensive.
For a small deal, a boutique with global reach would be the default choice. They bring expertise with heavyweights who want a better work-life balance. They bring cost effectiveness with a reduced footprint.
The only reason to go with KPMG is because you know someone there you trust.
Regardless I think using any big 4 consulting firm would be cost prohibitive for a small sale like this? No wonder they were laughing at the end of every meeting. He literally flew around with a team of KMPG consultants to 43 meetings to sell a site worth what a couple million at best...?
Over a third (39%) of KPMG's revenue comes from management consulting services. KPMG has an entire arm of the company that is classified as "Advisory" (aka consulting), of which M&A is a big part of, and it is completely separated from the accounting/audit arms.
All of the Big 4 "accounting firms" actually also house the largest consulting companies in the world, but somehow their old reputation of being "primarily an accountant / auditor" keeps sticking.
Thank you for sharing... 43 sounds super painful, and super tricky to safely share!
For others here: part of "companies are bought, not sold" is not just price difference, but whether the deal happens at all. Your startup needs to be solving something critical for an executive , eg, cuts red tape on internal politics, and enough so that they'll push the deal through because they need it. Good signal is inbound, but not only, and part of your job is to help figure that out or get that inbound.
The reverse is still possible, but now you both underprice and need to find a firm that is efficient here. As part of my surprise in seeing gitlab internal docs in the open.. they explicitly look for good but struggling product teams to scoop up for basically annual bonus levels, and it sounds like they can do that quickly... If that's what you want.
Hah sorry super busy, sorry. Inbound interest is a good initial signal that there's genuine interest on the other end. It's way better than reaching out. Somewhere between inbound & outbound is maintained relationships you push on.
From having legit inbound interest, you still need to find an executive champion on the acquirer's side who'll spend months pushing through the lawyers, politics, etc, and ideally, has done it before. Not easy. They may not be the person who reached out to you, but they are the one(s) you need to identify, make the bet on, convince, and iterate with as issues arise. If they're senior enough, they can make it Just Happen.
Maybe the perspective here is selling a business is the ultimate big & messy & relationship-heavy enterprise sales process. The process described in the post sounds like the numbers approach of SaaS (outbound reachouts to BD people -> a few conversations -> sell), but not with the messy human parts of enterprise.
-- For example, it's unusual to bring in someone like KPMG due to deal size and risks around disintermediating the owner from the buyer during relationship building. (Individual advisors here are more normal for slightly bigger deals, and they'd have more skin in the game & involvement than a big firm.)
-- As another, was DefCon time hanging out with the CEO or #2 of the company and the champions?
Not easy! The advice I got here is 90-99% of these convs fail, so it's useful to be wary & understand.
I think Troy is struggling to find his own place in this venture. I appreciate his take on selling it to a good buyer, because a massive password list would otherwise attract shady buyers.
You cannot sell something and keep it at the same time. That's not what selling is. It's good to see governments taking interest at this, I'm happy about paid plans. To keep HIBP under his original vision and for his to enjoy his lifestyle, renting would be the ideal solution. Not selling.
My confidence level on this is very low, because what do I know, but my emotional commitment to this take, having been a small business operator (in Hunt's field) for a couple decades now, is very high:
This makes me very sad. Not that the deal fell through, because of course it did, but because of the process he undertook. Every part of it makes me sad. Any correction or rebuttal I get to this will make me happier, so I hope I'm wrong about a lot of it.
First, the adage that companies are bought, not sold, has in my experience and the experience of my friends been pretty much true.†
Next, The most valuable thing about HIBP isn't the underlying work Hunt did --- lots of companies have done equivalent work --- but HIBP's notoriety and popularity.
Which to me means that every credible acquirer of HIBP already knew he was for sale --- because everybody is for sale --- and already fully capable of reaching out to Hunt and offering him some kind of deal. The list of bizarre stories I've heard about random projects that have received corpdev offers like this is long.
Which to me suggests that putting a lot of work into a deck that explains HIBP and what makes it valuable was not a good use of time. If you're explaining, you're losing.
Then there's reaching out to your tax advisor to coordinate the sale. I have only heard bad stories about retaining financial firms to shop companies. In this case there's the added fact of the enormous incentive mismatch: Hunt is engaging a financial firm to act as his agent with a bunch of their own clients and client prospects, practically every one of which seems like it'd be worth more to KPMG than the HIBP "sale" or any ongoing relationship with Hunt himself.
Then there's what KPMG actually did, which was to arrange FORTY(!) pitches. To each of which he disclosed traffic stats and revenue numbers!
Bringing us back to HIBP's value being its notoriety, in that: anyone you have to explain HIBP to is probably not a qualified prospect. Also, just the idea that there would be 40+ qualified prospects to begin with.
My feeling is that a pretty big chunk of YC companies get a whole stream of invitations to corpdev meetings equivalent to the ones Hunt went through here. And that a big part of YC's founder education is convincing founders never to go to these meetings, because they're so unlikely to have good outcomes, and because the counterparties in those meetings are basically trained and selected to efficiently screw founders over. Here, it seems like Hunt paid for the privilege of experiencing this.
Then there's the deck itself; the one detailed slide of which we get to see is an exquisitely detailed rationale for why Hunt's presence is vital for the continued success of HIBP. "This is what the organisations bidding on HIBP were buying: trust in me." That's a description of a job interview, not a company sale. Elsewhere on this thread there's a comment saying HIBP should be worth 8-9 figures. Can we think of a company with this slide in their deck and that valuation?
In the end, he gets to term sheets with one potential company, and goes through what appears to be a full-fledged warrants-and-reps due diligence process, the completion of which is rewarded with a polite "no thank you" from the company.
This seems like the longest, most expensive job search anyone here has ever read about. I assume he paid KPMG for their work on this, and what KPMG did here looks to me like malpractice.
We give YC a lot of shit and they sure deserve a lot of that shit, but it's not unusual for me to look at a security founder story and think "this person really, really would have benefited from going through YC".
I like what Troy Hunt is doing a lot and he seems great. I hope things go better for him building this project up without trying to shop it for new owners.
† The exceptions to "bought not sold" that we read about most frequently here are companies put up on company-flipping brokerage sites and sold solely for their revenue streams.
> the completion of which is rewarded with a polite "no thank you" from the company.
My reading is that the interested company, being the large amorphous blob that it is, decided in some separate cortex to change their business model while the due-diligence nitty gritty was underway, and Troy decided to cut out.
It's interesting what HIBP reveals about both attackers and defenders.
HIBP held a long randomly generated password I used exclusively on tvtropes. It was in plaintext in a pw dump, suggesting they weren't even hashing at the time.
I contacted tvtropes a few times but got ignored with no announcement.
It's not a banking site, not sure what we should expect. But given compelling evidence of a breach and making no announcement to users seems irresponsible.
Sorry but, how is Have I Been Pwned anything but a text search of data that is already publicly available?
Normally a company is valuable because of some kind of value add. Either they generate data nobody else can, or they do something with that data nobody else can. HIBP does neither of those things. It literally searches one column of a database, and tells you if there was a match. You could run HIBP using a total of 1 SQL query, with a fancy template in front. It's essentially just a hobby project of a software dev. who wants something to do on the side. It is infinitely more valuable to Troy as a resume booster than to any company.
> Sorry but, how is Have I Been Pwned anything but a text search of data that is already publicly available?
To be fair, google is also a (very glorified) text search of publicly available data when you get right down to it. Value is a combination of how useful you are to other people and how popular you are with other people, not how technically complicated you are. HIBP is both useful and popular - hence its valuable.
"Anyone can cobble together a website with some APIs and load in a ton of data breaches, but establishing trust is a whole different story. Trust in the way I run the service is an absolutely pivotal part of HIBP and it's something I built organically rather than setting out to earn it, now here I was with big companies putting a value on it."
Yeah, so it's nothing but branding. There is nothing about this site that requires trust, since the data is already available. HIBP got popular on Twitter / the internet and is now a well known name in cyber.
He should really have built a password validating/auditing software for commercial use.
I used hibp in a corporate setting, like most others I looked to see if there was a way to check AD and Linux for bad passwords, a few people had some open sourcey things that only work retroactively with manual execution. We evaluated the need and decided on pursuing an unrelated commercial product that does all the password auditing using known bad passwords among a long list of other things. Since the start I wondered why HIBP did not do this. Having existing enterprise customers would have given him a lot more leverage.
That's basically what we've done with https://safepass.me/ and https://pwncheck.me/ ... and HIBP is the dataset we ship to our customers by default. If you are still looking to validate passwords when they're set, give me a nudge :)
We don't advertise the linux/PAM support since we have failed to find a market for it (usually things end up being hooked up onto AD one way or the other)...
Anyone have a clue who the potential acquirer was? Just curious as to whether they wanted the brand of Troy Hunt as the databases are public and most technically savvy organizations can put one together.
Would line up well with Troy Hunt's mention of "It was a change in business model that not only made the deal infeasible from their perspective, but also from mine; some of the most important criteria for the possible suitor were simply no longer there"
But then I saw the date for the pcmag article above (Aug 2019) and I'm not sure now. Seems Symantec's divestiture is too early for this broken deal. Or would it take several months after the sale? I found an article from 2019 Nov 4 about Broadcom closing the Symantec purchase - https://www.crn.com/news/security/done-deal-10-7-billion-bro...
My personal guess is Mozilla (not sure whether Corporation or Foundation). Their mission and vision seem to align well with Troy's views on privacy and security, but for reasons unrelated to HIBP, they're cutting costs.
Yes, that would be my guess as well. They seem(ed) to be the most aligned with his mission. Giving him the freedom to stay in his home while also being in a corporate environment that could give him the necessary know how and back up to grow his baby.
They get paid a portion of the proceeds of a sale (or raise if you decide not to sell and raise money instead). The bill was almost certainly from his lawyers. I went through a failed M&A process and we were left with a 90K bill for it.
> They get paid a portion of the proceeds of a sale
This is true for most M&A. But with KPMG, last I saw, they charge a retainer that must be re-upped from time to time. (The joke was that's what you get when you hire accountants as bankers.)
Having been through a similar process with KPMG (that ended similarly), I can confirm that they operated on a retainer basis and it did need to be re-upped from time to time. The vast majority of their remuneration was a success fee though. This is pretty standard for the industry.
Just to cite one example, he says he was billed by the lawyers arguing whether he was legally considered a "sophisticated investor". I imagine there's not a single party in this process that works for free or on a commission. There's a lot of work done even when it doesn't result in a sale.
I believe that Have I Been Pwned provides a useful service, but I find it very strange that needs to be valuated and sold like a startup when it’s essentially been able to survive because people singularly trust Troy with a bunch of illegally obtained material. Like, how do you buy that; how could you ethically and legally make money from it? Why can’t it just continue being supported by contributions?
I didn't find that very satisfying, unfortunately. He mentions that he's overloaded with trying to maintain the service, but then jumps immediately to looking for someone to acquire Have I Been Pwned. Couldn't he just get a few more people to help him out?
I don't know the details of his particular situation, but it's entirely possible to grow a small company to the point where you either need to radically change your role, or find someone to do it for you. Acquisition is one way to do the latter, although it's not always going to be appropriate.
Sometimes you can't add a few people and have the same organization.
My takeaway is it kinda seems Troy wants to add A TON of people and still keep the same organization and responsibility.
Sounds to me like he's window shopping for an investor that will basically replace his engineering role with a team, pay that team, give Troy a paycheck for work he's done in the past, and let him show up every couple weeks between jetsetting to bark his vision at the new team.
I'm not shocked that it's not going well so far. HIBP is one of those unique cult-of-personality type platforms where it cannot exist in it's current form without Troy, and Troy cannot continue in his current form without HIBP. If I'm looking to buy HIBP I want to know that it's not just going to be the Troy Show 2.0 with my money instead of his.
I emailed Troy to ask if he'd consider operating it as a non-profit utility similar to Let's Encrypt, and offered to help (because it's only fair if you come with an ask).
I've been sitting here wondering why bringing HIBP into an existing non-profit foundation wasn't the desired outcome. Having HIBP under the control of corporate interests seems icky.
Do we know for sure it wasn't? Couldn't Mr Hunt have wanted Mozilla to take over, but they weren't keen .. what other non-profit options fit here? Apache?
I think that's good that he doesn't sell, having built a enormous marketing presence and gained market trust is only a minor step away from actually monetizing that.
Selling what he has right now does indeed come with golden handcuffs (sucks), but also any purchase price would come in vastly under the projects' potential.
He could easily leverage this marketing presence to build a security SaaS company, create a huge conference, launch a big consultancy,...
If you value independence then running your own profitable balance sheet is the best thing you can do.
Hell, it wouldn't even be hard to attract talent to the cause at the point he's at.
On a meta note I'm honestly surprised that somebody took the time to script a bot to create accounts and post obvious spam on HN. It's like, the least plausible place on the planet to find customers by spamming...
I believe this is the first I've ever seen such a spam comment created by a spam-specific new account.
There is also an unreasonable dependency on CloudFlare kool-aid for HIBP and his other services. I reached out to Troy about sponsoring Report-URI because it was a service I believed benefitted the internet. In response I received a snarky response about how I didn't understand how web-scale CloudFlare was, when I was effectively offering to cover all the companies infrastructure costs for the foreseeable future (multiple dozens of servers and XX Gbps of bandwidth).