BREAKING - Elastic Sues Search Guard

Wow, this is a big event. Elastic has discovered that the makers of the open source Elastic Plugin for security features Search Guard copied and used their proprietary security code and is filing infringement lawsuits.

It came to our attention that the developers of Search Guard, a security plugin for Elasticsearch from floragunn GmbH, directly copied source code from our proprietary security features into their product. In looking deeper, we discovered a pattern of intellectual property theft that has apparently been going on for years.

So earlier today, we filed a lawsuit in the United States District Court for the Northern District of California against floragunn GmbH for copyright infringement and contributory copyright infringement.

Why else is this a big deal?. Open Distro security feature is almost entirely Searchguard and written by wait for it… floragunn.

From the Open Distro forum on security features.

Question from a user.

I’ve been looking through the code you have in your packages, and I see that most of what you have for authc/authz is based on Searchguard, however there’s no attribution to Searchguard.

Answer by AWS

Hi Mikael. The security features include contributions by floragunn (the makers of Search Guard) and you will see their copyrights on the source files. We have collaborated with them on bringing security features to Open Distro.

And follow up answer by Search Guard

We have helped AWS to bring security features to Open Distro for Elasticsearch. From our perspective Open Distro for Elasticsearch is a legitimate product.

Claudia Kressin
CEO, floragunn GmbH…

To be fair the press release from Elastic does not contain any reference to AWS or Open Distro. It is entirely possible that Open Distro contains no infringement on Elastic proprietary code even though their security features rely heavily on Search Guard.

But for years, thousands of Elastic users have been using Search Guard for security features in place of licensing from Elastic to get them.



Here is the complaint, if you’d like to read it:….


Wow. Thanks for finding the complaint.

Further, Elastic is informed and believes, and, on that basis, alleges that, floragunn made commercial use of its infringing Search Guard product by purposefully marketing and licensing that product to customers in the Northern District of California. By way of example, Elastic is informed and believes, and, on that basis, alleges that floragunn licensed its Search Guard software to: (1) PayPal Holdings, Inc., a company that, on information and belief, has its principal place of business in San Jose, California; (2) AppsCode, a company that, on information and belief, has its principal place of business in San Leandro, California, for use in AppsCode’s CubeDB software; (3) NVIDIA, a company that, on information and belief, has its principal place of business in Santa Clara, California; (4) Zuora, a company that, on information and belief, has its principal place of business in San Mateo, California; and (5) OpenTable, Inc., a company that, on information and belief, has its principal place of business in San Francisco, Californis



great catch Darth…their blogs are good stuff in general, but I don’t go back often enough and see what’s new.

I guess, long-term, this can potentially mean these clients move off the (non-compliant/illegal) Search Guard license and leverage Elastic, per CEO Shay Banon from that blog:

“All Search Guard users are a part of the Elastic community, and it is unfortunate that floragunn’s actions may have put you in the position of running infringing code. As you consider your options, please be aware that Elasticsearch now includes free security features by default, which will help ensure you don’t need to run an unprotected cluster. We want to help, so please reach out to us at if you have questions.”

Obviously “free” isn’t terribly useful short-term, but the concept of getting more users to leverage the Elastic features can lead to those clients eventually becoming more entangled with Elastic solutions and paying for their other features and solutions, such as when Endgame is fully in the loop, etc…



Obviously “free” isn’t terribly useful short-term

This is true. Elastic does provide basic security features (like encryption) for free as of an update earlier this year. This is basic stuff similar to what most open source software already came with (like Mongo).

There are also many more advanced security features that meet unique requirements for enterprise and are only available at platinum level subscription. One of these is field and document level authentication. Businesses with dozens or more employees will need to restrict access to specific fields or documents within a data set for “need to access” due to privacy, legal, and liability reasons. Not a major concern for someone in a two person shop, but basic encryption would be.

Search guard has an enterprise security product that enterprises were paying for in lieu of Elastic. The major part of this was document level authentication and that is the specific code that Elastic alleges was pirated.

A significant portion of floragunn’s copying centered on the Document Level Security (“DLS”) features in Elastic’s X-Pack code. As the name would suggest, DLS allows an X-Pack customer to apply security settings to particular documents in the database.

That is also the majority of work that Search Guard provided to Open Distro according to the Open Distro Thread. “Auth/authz”



Follow up.

As part of the legal action Elastic had issued DMCA takedown notices to Github and Sonatype (a kind of github competitor). That was announced in the original blog.

Yesterday GitHub and Sonatype did just that and removed search Guard from their respective repositories.

Response from floragunn.

Elastic appears to claim that certain components of floragunn’s Search Guard product infringe Elastic’s copyrights. To be clear, floragunn fully and unconditionally rejects Elastic’s allegations of copyright infringement, and will vigorously defend Elastic’s unfounded claims in court, and hold Elastic accountable for damages that their actions have caused floragunn and its customers…

Needless to say, by filing the DMCA takedown notices, Elastic has succeeded in crippling communication and release channels for Search Guard. As Search Guard is a security software, it is vital for our users to have reliable channels for reporting security problems and receiving software updates. We are proactively working on restoring access to our code.

Nothing regarding open distro. Only a statement in reply to users getting antsy stating “AWS stands by open distro and look forward to a quick resolution to these claims”



For anybody interested in this topic originally posted here:…

There is a new development from Elastic today found here:…

As expected Elastic has found additional reach of what they allege is copyright infringement by flogagunn and Search Guard.

Today, we have updated our lawsuit in two important ways. First, we have identified additional copying by floragunn with respect to the separate, proprietary code base for our Kibana product. Second, we have identified specific companies and products whose infringement floragunn has induced — that is, third-party products and services that use or are based on the infringing Search Guard code.

Upon closer inspection, we identified additional copying by floragunn in several key parts of the Search Guard Kibana plugin, including aspects like user management. These examples go back several years, further confirming the pattern of copying we identified and referenced in our original complaint.

Now that we have identified additional third-party products and services that include floragunn’s infringing code, we have created this blog post to address that induced infringement. The amended complaint we filed today names several products and services that use floragunn’s infringing code, including Open Distro for Elasticsearch from AWS, Amazon Elasticsearch Service, ObjectRocket for Elasticsearch, and IBM Cloud Databases for Elasticsearch. While we have no reason to believe that these companies intended to use infringing code (and have not named them as defendants in the lawsuit), it’s important to be aware that floragunn’s actions have put these companies and their customers in the position of running and using infringing code.

Elastic is not naming the third parties as defendants, which seems proper, because they are not willful participants, in what is alleged to be Search Guards infringement. But these products are on notice and should be good for Elastic’s long term protections of their IP. If they prove their case.



When this first was announced back in September I thought the most impact would be to snuff out the main purpose behind the open Distro project. The security features.

But with this update they are claiming the top hosting competitors are using Search Guards lifted code.

Namely AWS Elasticsearch Service. It was recently reported that this service was one of AWS fastest growing services and that the top number of customers was producing $100M in ARR. As I recall anyway, can’t find that article now.

Anyways a number of familiar big tech names use the AWS ES service. Many for internal use such as logging, APM, security event monitoring, and other monitoring related use cases. While others use this service as a critical component of their customer facing software product.

Here is a few of the customers:

Prime Video

To name a few. There are thousands more.

This has a potential tectonic level of effect for a great number of infrastructures. If this service is suddenly rendered without this allegedly lifted code and the security it provides.

Thousands of companies are getting notified about this and are evaluating the impact of sticking with the AWS service to say the least.

And then, now that it’s confirmed that the code is in Open Distro, Netflix and Expedia lent their names to the OD project. Netflix, I know has one of the largest Elastic deployments out there. Are they using Search Guard somewhere in their own stack?

Search Guard has a free and open source version and an enterprise version. I believe the free version code is what is in Open Distro. So by interpolation that means the free version has the “pirated” code as well.

How far does this reach? For those who were building Elastic solutions and using SG for security, free and paid?

This sounds huge to me. It must be noted these are all allegations at this point. The case has not been proven in court at this point.



I always say never invest in a lawsuit. That is another loser’s game. Frankly, despite how good I am at what I do, with plenty of experience, it still amazes me sometimes what a judge will do even to things that seem most obvious. Then you appeal, usually win your appeal and all is set right, except more and more time passes and justice delayed is justice denied far too often (Rambus as an example).

Nevertheless, in this case, it is not so much winning or losing the lawsuit (they stand a very good chance of winning) but the fact that one of the prime criteria for using software is to not using infringing software. These companies are on notice that there is a good chance the software is infringing and that they will need to find an alternative. What alternative?

They can do it in house - not easy, if it was they wouldn’t be using the infringing code to begin with; they can switch vendors, say to Datadog or Splunk, or they can go with Elastic directly. There is no doubt that this lawsuit will increase momentum to customers choosing to use Elastic or Datadog or some other clearly non-infringing alternative. Thus, not really investing in a lawsuit.

This said, as has been the issue constantly, how is Elastic going to make money! Well, they are doing a better job it than Nutanix is. Start with low hanging hurdles.



I’m not suggesting in any way shape or form to invest in ESTC based off a lawsuit.

ESTC thesis is that they are the far and away the top search data store product on the market. That positions them to be a core to many use cases that touches them in some way for thousands of companies. They are at $100M/qrtr and growing at 60%. With 80%+ gross margins. With a compelling product portfolio that is just starting to truly monetize their technology. That’s the thesis.

However, the lawsuit highlights some important things. Elastic has proprietary IP. That includes a lot of very powerful security code that enterprises want. And thousands of companies want Elasticsearch technology for multiple use cases.

Others make a business out of taking their open source products and reselling them. But they can’t make these enterprise necessary security features. Without them their own products would suffer. Still others provide and sell a product that provides those security features. But those may not be worth squat without thriving code. Meaning, in an enterprise sense, Elastic is more likely the place a company should go to get a real production ready Enterprise product.

ESTC is compelling prior to this lawsuit announcement. But it certainly does raise a lot of possibilities as to the future. Even if they lose.



Darth, I hypothesize that if Elastic were to lose this lawsuit it would be catastrophic. No bones about it. It might be catastrophic for much of open source commercial use as well.

However, it seems very likely Elastic prevails. This lawsuit may also put out of business the defendant in this matter. It is life or death for them.

So the worse case scenario is remote, but the best case scenario, depending on how security is provided say for a product like Datadog’s, is that Elastic becomes the only source to go to for an absolutely necessary security product for any commercial production use of Elastic search.



I don’t see it that way.

If Elastic loses. Life goes on as it has.

Elastic continues to succeed despite these products being commercially available as they have done.