October 21, 2009 at 1:30 pm #4355
October 21, 2009 at 1:31 pm #27544morpheus063Participant
Yes, its all here now:
Vulnerability management vendor Rapid7 has purchased the popular open-source Metasploit penetration testing tool project and named Metasploit founder HD Moore as chief security officer of the company.
Moore, who is synonymous with the Metasploit Project , will continue as chief architect of Metasploit in his new role at Rapid7, and with an initial team of five Rapid7 researchers dedicated to the open-source project, some of whom already have been regular contributors to Metasploit. Financial terms of the deal were not disclosed.
October 21, 2009 at 1:44 pm #27545jasonParticipant
Interesting. Hopefully we don’t see it end up like Nessus.
October 21, 2009 at 1:45 pm #27546KetchupParticipant
Wow, that could be bad news. I am hoping that it goes the way of Tripwire and not Nessus.
October 21, 2009 at 1:50 pm #27547morpheus063Participant
Let us hope its remains open source.
Both Moore and Rapid7 say they are well aware of previous open-source and commercial marriages that have gone south, however, such as the Nessus scanning tool, which went from an open-source to a proprietary, closed-source license under Tenable Network Security. They say they are focusing on the open source community to leverage Metasploit. “Our goal is to make sure we improve the open-source” element, Thomas says. “Metasploit will remain open source.”
October 21, 2009 at 2:04 pm #27548XenParticipant
Well, their stand as of now is “Metasploit will remain open source.”
I just hope that Moore has done what he thinks is best for the tool.
October 21, 2009 at 2:06 pm #27549jasonParticipant
I sure hope so, but the road to hell is paved with good intentions…
October 21, 2009 at 2:23 pm #27550alucianParticipant
I doubt that it will remain full open source.
Maybe that it will be a lite version that will be free, but business is to make money 🙁
Hope I’m wrong.
Unfortunately, the ones that will be happy are the bad guys.
October 21, 2009 at 2:27 pm #27551rattisParticipant
They can keep it open source, and charge for training and support. Technically they could charge for the software as well, as long as they give the source code with the product (ala redhat)
October 21, 2009 at 2:52 pm #27552KetchupParticipant
Well, I would consider paying for msf if it meant that new exploits and features were added quicker. The charge would have to be reasonable, like $500 a year for a subscription. (The free version would still exist and have a delayed update feed.) We don’t need another Core Impact pricing schedule. Just my $0.02.
October 21, 2009 at 3:08 pm #27553geekyoneParticipant
Looks like the biggest thing they were plugging was their NeXpose vulnerability scanner and some kind of integration with msf. Qualys does something similar with CORE if that is there aim and they leave the products separate like CORE and Qualys that could be a great improvement.
October 21, 2009 at 7:43 pm #27554JhaddixParticipant
Did a quick post on it here: http://www.securityaegis.com/metasploit-buyout/
Today HD Moore and Rapid7 announced that Rapid7 has purchased the Metasploit Framework Project. The speculation around this has taken the pentest and vulnerability scanning community by storm. After talking with some colleagues I have come up with the following, here’s some things you should know:
First, be happy for H.D. Moore. He is one of the hardest working exploit devs and project managers in the world. Not only HD, but Egypt as the first paid core dev for the project. Congratulate them. Bravo.
HDM and Rapid7 have stated that “Rapid7 is 100% committed to keeping the project open source and the community development model.” This buyout is not so much of a buyout, it’s a corporate backing of MSF and HD’s vision of the project. For now (or “anytime soon”) the BSD 3 License will not be going anywhere. MSF will be sticking with Ruby and Rapid7 has no plans, for now, to corporatize MSF. Rapid7 wants to take the MSF brand and stand behind it.
There is some worry about community submissions to MSF now that it is owned by R7. Rob Fuller (mubix) gave a pretty straight forward answer to that in reply to Sourcefire’s VRT blog:
“For those not happy that the development for or submission of your ideas / exploits to the Metasploit project now that those submissions will also go to Rapid 7 are seriously underestimating the fact those all those companies were pulling that information already.”
What does it mean for R7’s NeXpose Vulnerability product?
Well, it’s really about extensibility and market share . Adding the exploit database from MSF to NeXpose gives a far better risk rating to the product by adding a way to validate vulnerabilities and rate them by current known exploit code. They also gain the name, rights, branding, and developers for the MSF project which all funnels into Rapid7 corporate brand. As R7’s new CSO HD Moore brings his talents to the R7 table. In addition R7 does not just offer vulnerability management solutions but also penetration testing solutions, which is a market they have fought to be in for a while. Now they have legs to stand on, so to speak, when battling dominant market competitors like CORE , SAINT, and ImmunitySec.
Catch an exclusive interview with HD and R7 on the Risky Business Podcast =)
Heres a pretty complete article roundup on the buyout:
October 21, 2009 at 8:06 pm #27555RoleReversalParticipant
I’m trying to see the positive side:
- corporate backing means resources for testing and development
- Core people getting paid to work on MSF means that the project doesn’t suffer when ‘real’ work gets in the way
- Corporate backing means MSF gets ‘approved’ for use by companies that don’t ‘do open source’
Until this point HD and team have done a great job of getting Metasploit off the ground and keeping it growing and evolving to meet changing times. I’ll keep faith that this won’t change.
Regardless of the future of an unarguable great free tool, that I’m sure everyone on this forum has used to a greater or less extent, I’d like to thank hdm and team for the work that has gone into the project so far. I’m pleased to see the hard work is paying off.
October 21, 2009 at 10:03 pm #27556impelseParticipant
Most of the successfull open sources that were bought for profits companies they became commercially, int the beginning the says: We will keep the open source project but later the change, etc, etc, etc.
They always said: Market required us to do this changes……….
October 22, 2009 at 5:42 pm #27557Michael J. ConwayParticipant
I would like the OpcodeDB to come back online.
I would also like to see it not go the way of Nessus. We’ll have to watch and see.
October 22, 2009 at 10:53 pm #27558KevParticipant
Who said writing open source doesn’t pay off in the long run? I am willing to put money on it going the way of Nessus.
November 10, 2009 at 5:16 am #27559timmedinParticipant
I listened to HD Moore’s interview and then some commentary by the PaulDotCom crew and I think it will work more like SourceFire than Tenable.
November 10, 2009 at 3:21 pm #27560
November 12, 2009 at 12:02 pm #27561UNIXParticipant
Looking forward to future development, hopefully it will remain free.
- You must be logged in to reply to this topic.