
Ask HN: Is there a reason I shouldn't open source payment related code? - alexggordon
So recently I created a rails site to take payments. I took significant steps towards moving all site secrets to environment variables using rbenv-vars, such that there are zero secrets stored in version control, and all references to those secrets are environment variables. I did that all with the idea that I could simply open source the site.<p>However, after looking around I can&#x27;t seem to find many other people doing this at all. Is this because it&#x27;s bad practice to open source any payment related code? Or because it would be easier for malicious people to potentially find loopholes? Or is this just something that companies are lazy about doing?<p>Thanks!
======
davismwfl
Two schools of thought, with the assumption that as you said no secrets, keys
etc are in code.

Open sourcing it allows the people to provide you with feedback how to make it
more secure or help find vulnerabilities so you can address them right away.

Not open sourcing it, prevents people from finding vulnerabilities which they
could use to compromise your site, or other sites based on your code.

My own two cents, if you want to open source it, I'd do it and just value the
feedback you will get and make things as tight as possible. A lot of times
code doesn't get open sourced not because people are afraid of security but
afraid of being judged by what they had to hack together to get 1.0 out, and
then how long that code sometimes hangs around. Speaking from experience on
this for sure.

~~~
alexggordon
Yeah, and that's the thing. If I do have bugs, I'd rather know about them and
potentially let someone else learn from them, than simply solving security
through it being closed source (the definition of "security through
obscurity").

Thanks for the two cents!

------
rnovak
What do you mean by "take payments"? You mean you collect CC/other info and
send it to a merchant like Stripe? Or do you have a merchant account (as in an
ISO account), and are actually communicating with a processor directly?

If it's the former and you store any customer information at all, I would
caution against it, since it identifies your application as being something
that people can attack and possibly get data from.

If it's the former and you don't store any information that can even remotely
identify customers, it wouldn't really hurt. I don't think Stripe/Paypal/etc
require that integration with their APIs be kept secret.

If it's the latter (merchant account) I would assume that you're required to
maintain PCI compliance, in which case even if you remove all "secrets", it
still may be unacceptable to open source that code.

Keep in mind, if you store data and transact with processors, any bug in your
code opens both the processors and users up to fraud. Generally I don't
consider that a good idea. Code audits are one thing (which can be done by
hiring a firm to internally review your code), but giving it to everyone I
think would be a bad idea.

