Vulnerability management vendor Rapid7 has purchased the popular open-source Metasploit penetration testing tool project and named Metasploit founder HD Moore as chief security officer of the company.

Moore, who is synonymous with the Metasploit Project , will continue as chief architect of Metasploit in his new role at Rapid7, and with an initial team of five Rapid7 researchers dedicated to the open-source project, some of whom already have been regular contributors to Metasploit. Financial terms of the deal were not disclosed.

Today HD Moore and Rapid7 announced that Rapid7 has purchased the Metasploit Framework Project. The speculation around this has taken the pentest and vulnerability scanning community by storm.  After talking with some colleagues I have come up with the following, here’s some things you should know:

First, be happy for H.D. Moore. He is one of the hardest working exploit devs and project managers in the world. Not only HD, but Egypt as the first paid core dev for the project.  Congratulate them.  Bravo.

HDM and Rapid7 have stated that “Rapid7 is 100% committed to keeping the project open source and the community development model.” This buyout is not so much of a buyout,  it’s a corporate backing of MSF and HD’s vision of the project. For now (or “anytime soon”) the BSD 3 License will not be going anywhere. MSF will be sticking with Ruby and Rapid7 has no plans, for now, to corporatize MSF.  Rapid7 wants to take the MSF brand and stand behind it.

There is some worry about community submissions to MSF now that it is owned by R7. Rob Fuller (mubix) gave a pretty straight forward answer to that in reply to Sourcefire’s VRT blog:

    “For those not happy that the development for or submission of your ideas / exploits to the Metasploit project now that those submissions will also go to Rapid 7 are seriously underestimating the fact those all those companies were pulling that information already.”

What does it mean for R7’s NeXpose Vulnerability product?

Well, it’s really about extensibility and market share . Adding the exploit database from MSF to NeXpose gives a far better risk rating to the product by adding a way to validate vulnerabilities and rate them by current known exploit code. They also gain the name, rights, branding, and developers for the MSF project which all funnels into Rapid7 corporate brand. As R7’s new CSO HD Moore brings his talents to the R7 table. In addition R7 does not just offer vulnerability management solutions but also penetration testing solutions, which is a market they have fought to be in for a while.  Now they have legs to stand on, so to speak, when battling dominant market competitors like CORE , SAINT, and ImmunitySec.

Catch an exclusive interview with HD and R7 on the Risky Business Podcast =)

Heres a pretty complete article roundup on the buyout:

http://blog.metasploit.com
http://www.metasploit.com/home/faq
http://blog.metasploit.com/2009/10/metasploit-rising.html
http://www.rapid7.com/metasploit-announcement.jsp
http://searchsecurity.techtarget.com/news/article/0,289142,sid14_gci1371945,00.html
http://www.darkreading.com/vulnerability_management/security/management/showArticle.jhtml?articleID=220800067
http://infosanity.wordpress.com/2009/10/21/rapid7-acquire-metasploit/
http://blog.ianetsec.net/perspective/2009/10/nick-selby-metasploit-acquisition-shakes-up-the-pentest-landscape.html
http://isc.sans.org/diary.html?storyid=7417
http://vrt-sourcefire.blogspot.com/2009/10/rapid7-make-bold-statement-acquiring.html
http://www.andrewhay.ca/archives/1085