This blog post explained some of the reasons why Elastic "opened" their XPack code. "Open" here simply means that they merged their private XPack repositories into the open ones. One of the reasons that the blog post above doesn't mention is that this move was mostly motivated to facilitate tedious engineering tasks of having to keep all their product versions in synch. Anyway, the XPack code is now out in the open and visible for anyone to see, but it's not free as in "free beer".
As shown on the Elastic subscriptions page (see the red rectangle in the image below), XPack Security is only available starting with a Gold license.
Another alternative is to use their Elastic Cloud which provides Security out of the box and allows you to pay a lower amount on a monthly basis.
If the price burden is too heavy for you, you might want to check out SearchGuard which is an alternative Security plugin for ES, which provides a free Community tier for basic security features.
UPDATE (March 11th, 2019):
Since today, Amazon has released a fully open-sourced version of Elasticsearch with a Security (and Alerting) plugin. More info at: https://opendistro.github.io/for-elasticsearch/
UPDATE (May 20th, 2019):
Since version 6.8.0 and 7.1.0, some features of XPack Security are now included into the BASIC license, and are thus free.
UPDATE (Sep 4th, 2019):
Elastic has filed a lawsuit against SearchGuard for IP infringements: https://www.elastic.co/blog/dear-search-guard-users
Details of the lawsuit: https://www.pacermonitor.com/public/case/29887799/Elasticsearch,_Inc_et_al_v_Floragunn_GmBH
This impacts both SearchGuard users AND OpenDistro users since the latter repackage the SearchGuard plugin.