I wanted to ask the community if it makes sense in certain situations NOT to patch for this exploit based on how the server is being used. I currently run a public service to allow people to search all public Reddit comments via an API (Example searching for meltdown in this subreddit: https://api.pushshift.io/reddit/comment/search/?subreddit=sysadmin&q=meltdown&pretty=true&metadata=true)

This API is using a cluster of servers running Elasticsearch. All data on the servers is public data (there is no sensitive information). After applying the patch on a dev box, I noticed a performance hit that would fluctuate between 10-20%. These servers are running Ubuntu 16.04 LTS and I have decided to use the boot flag "pti=off" to disable the patch.

In this scenario (no PII, all public data, etc.), does it make sense to disable the patch? I understand security is always a very important part of the IT equation, but I do believe there are instances where certain servers do not deal with any type of sensitive data.

I'd like to use the pti=off Grub boot flag to maintain the performance pre-patch and not take the performance hit. The only sensitive data that I can think of would be passwords in the system itself (although I only use ssh keys for logging in and have always disabled plain text passwords).

Is there something I am overlooking if I decide to go this route? I'm basically making the argument that it isn't necessarily always mandatory to apply security patches such as this one when balancing performance vs. risk of an exploit.

This particular exploit is unique in that most security patches don't affect the performance of the machine by such a huge margin (if at all). I'd just like to get everyone's thoughts on this?