They could be using Elasticsearch for a side project. IMO, open source projects should not be unsecured.