Metasploit Project Sold To Rapid7

ancientribe writes "The wildly popular, open-source Metasploit penetration testing tool project has been sold to Rapid7, a vulnerability management vendor, paving the way for a commercial version of Metasploit to eventually hit the market. HD Moore, creator of Metasploit, was hired by Rapid7 and will continue heading up the project. This is big news for the indie Metasploit Project, which now gets full-time resources. Moore says this will translate into faster turnaround for new features. Just what a commercial Metasploit product will look like is still in the works, but Rapid7 expects to keep the Metasploit penetration testing tool as a separate product with 'high integration' into Rapid7's vulnerability management products."

Re:How does one buy an open source program?

[Nursie]

Depends on the project.

If the copyright for metasploit belongs solely to one person, or to a small enough group, then they can sell that on to the company, dependant on what they link to and the licenses used there. I.E. QT was available to purchase and nokia bought the company and the IP there.

They could, if they bought all the copyrights from all the right people, start producing closed source versions. They could also employ all the devs involved and take ownership of the trademark. At that point they have effectively bought metasploit.

What they can't do is rescind the previous license. It's something that's been tried once or twice but it's a nonsense. If they gave away the source under BSD or GPL or similar F/OSS license then it's out there and the community will always be able to use that version and develop it further, under the same (or different if the company took the TM) name.

Hopefully things won't get that far and the source will continue to flow, but who knows.

Anyway, no, you're not naive, buying and closing this stuff requires permission from and probably compensation to all contributors and is only logistically possible on projects where there aren't many of them.

Re:Opensource tool

[bleh-of-the-huns]

Snort was never sold to anyone, Snort has always been a part of Sourcefire, the developer just created a commercial product.

Not sure about tripwire...

Nessus went closed source due to a number of other companies stealing it, incorporating it into their products, and then selling it. It is still free for non commercial use, and free registration will allow you to get updated plugins (albeit a few days behind commercial customers)

Re:"penetration testing"

[BitZtream]

You are right, it gets used by script kiddies.

That is EXACTLY why I use it regularly to make sure it doesn't work for them. I can quickly scan a host and see what they may be able to take advantage of.

What do you do? How do you know that you've installed every patch. MS doesn't even TELL you about ever patch, let alone include them in Windows Update. Does all of your other software auto update as well? Do you have some mystical application that makes sure you never make a configuration mistake that opens an exploit? My IIS servers don't return customized version information, is it just supposed to look at that and know what it really translates to and what patches I have installed on it.

You sir, are not a system admin. You may be employed as one, but you certainly shouldn't be. The mere thought that patching is enough by itself is retarded. Assuming that you have perfect configurations that never change and will be safe forever after you set them up is retarded. Pretty much no matter how you look at it, your argument is one of extreme lack of experience.

Every high security environment in the world does penetration testing, as do lower security environments who would rather be safe than sorry. Banks, the government, health care providers to name a few, ALL do penetration testing, both by software, and social engineering, all the way down to trying to actually break into a physical location.

Fuck you and your arrogant ignorance about security, come back to us when you get out of pointy-headed-boss-school or secretary school, whichever you happen to be in.