So recently I created a rails site to take payments. I took significant steps towards moving all site secrets to environment variables using rbenv-vars, such that there are zero secrets stored in version control, and all references to those secrets are environment variables. I did that all with the idea that I could simply open source the site.<p>However, after looking around I can't seem to find many other people doing this at all. Is this because it's bad practice to open source any payment related code? Or because it would be easier for malicious people to potentially find loopholes? Or is this just something that companies are lazy about doing?<p>Thanks!
Two schools of thought, with the assumption that as you said no secrets, keys etc are in code.<p>Open sourcing it allows the people to provide you with feedback how to make it more secure or help find vulnerabilities so you can address them right away.<p>Not open sourcing it, prevents people from finding vulnerabilities which they could use to compromise your site, or other sites based on your code.<p>My own two cents, if you want to open source it, I'd do it and just value the feedback you will get and make things as tight as possible. A lot of times code doesn't get open sourced not because people are afraid of security but afraid of being judged by what they had to hack together to get 1.0 out, and then how long that code sometimes hangs around. Speaking from experience on this for sure.
What do you mean by "take payments"? You mean you collect CC/other info and send it to a merchant like Stripe? Or do you have a merchant account (as in an ISO account), and are actually communicating with a processor directly?<p>If it's the former and you store any customer information at all, I would caution against it, since it identifies your application as being something that people can attack and possibly get data from.<p>If it's the former and you don't store any information that can even remotely identify customers, it wouldn't really hurt. I don't think Stripe/Paypal/etc require that integration with their APIs be kept secret.<p>If it's the latter (merchant account) I would assume that you're required to maintain PCI compliance, in which case even if you remove all "secrets", it still may be unacceptable to open source that code.<p>Keep in mind, if you store data and transact with processors, any bug in your code opens both the processors and users up to fraud. Generally I don't consider that a good idea. Code audits are one thing (which can be done by hiring a firm to internally review your code), but giving it to everyone I think would be a bad idea.