Catch up on stories from the past week (and beyond) at the Slashdot story archive


Forgot your password?
Security IT News

Metasploit Project Sold To Rapid7 70

ancientribe writes "The wildly popular, open-source Metasploit penetration testing tool project has been sold to Rapid7, a vulnerability management vendor, paving the way for a commercial version of Metasploit to eventually hit the market. HD Moore, creator of Metasploit, was hired by Rapid7 and will continue heading up the project. This is big news for the indie Metasploit Project, which now gets full-time resources. Moore says this will translate into faster turnaround for new features. Just what a commercial Metasploit product will look like is still in the works, but Rapid7 expects to keep the Metasploit penetration testing tool as a separate product with 'high integration' into Rapid7's vulnerability management products."
This discussion has been archived. No new comments can be posted.

Metasploit Project Sold To Rapid7

Comments Filter:
  • Wow (Score:3, Funny)

    by Yvan256 ( 722131 ) on Wednesday October 21, 2009 @11:08AM (#29823705) Homepage Journal

    Even names are in high-definition these days.

  • get off my lawn.

    In my day we had to use smoke signals to exploit a neighbor's abacus. And you know what, we liked it.

    Now you have your fancy audio couplers and wireless networks.

  • Sold to a company, What wut!?
    • Re: (Score:2, Informative)

      Its nothing new really, there's been several tools that have either been "sold off" or their devs have "closed source". (I could be wrong) 3 that pop to my mind are Nessus, Tripwire, and Snort. ... sure does make me want to start using the words "sell outs" though.
      • Re:Opensource tool (Score:5, Informative)

        by bleh-of-the-huns ( 17740 ) on Wednesday October 21, 2009 @12:28PM (#29824677)

        Snort was never sold to anyone, Snort has always been a part of Sourcefire, the developer just created a commercial product.

        Not sure about tripwire...

        Nessus went closed source due to a number of other companies stealing it, incorporating it into their products, and then selling it. It is still free for non commercial use, and free registration will allow you to get updated plugins (albeit a few days behind commercial customers)

      • Snort was not sold off. Marty Roesch, creator of Snort, formed Sourcefire for the express purpose of commercializing it. Even with that, Snort is still open source under the GPL, and Marty has indicated that there are no plans to ever change that.

      • I stand corrected ... (thank you ... must get caffeine before posting next time), but my point still stands, open source being traded off isn't new .. but it is irritating.
  • by al0ha ( 1262684 ) on Wednesday October 21, 2009 @11:39AM (#29824049) Journal
    Rapid7, who are incredible jerks at least in terms of aggressive cold-call sales people. There are periodic rounds of complaining about them on one of the lists I'm on. We can't stand those guys.
    • Re: (Score:1, Funny)

      by Anonymous Coward

      I interviewed with Rapid7 for a software development position, and I too can attest to the fact that the company seems to be full of jerks. I was essentailly pressured to accept a position before being provided with any salary or benefits information - because those are just "minor details" ...

      Also the sales team was running laps around the office. It looked like a frat house.

    • Re: (Score:2, Interesting)

      by Anonymous Coward

      Just what a commercial Metasploit product will look like is still in the works

      I'm going to bet that it'll look like a several hundred dollar pricetag that puts it out of reach of many users of the original project and at least 4 figures for use in enterprise with the most basic support tier.

      Call me pessimistic, but when fairly unique security tools are commercial projects this is almost always what the pricing looks like.

  • Now that this software is run by a company with assets what are risk that they will get sued out of existence by some company who wrote bad code?
  • I'd like to buy sendmail and apt-get. How much would those two cost me?

    I am not clear on how open-source projects get "sold" to commercial entities. I understand how companies can use open source but I don't understand how companies buy and sell open-source programs.

    Can someone smarter than me lay out, in business terms, how this works? Was Metasploit a corporation? If so, what kind? Was it an S-corp? C-Corp? LLC? LLP? What were the mechanics of the sale? What approvals were needed from what
    • by Nursie ( 632944 ) on Wednesday October 21, 2009 @12:07PM (#29824419)

      Depends on the project.

      If the copyright for metasploit belongs solely to one person, or to a small enough group, then they can sell that on to the company, dependant on what they link to and the licenses used there. I.E. QT was available to purchase and nokia bought the company and the IP there.

      They could, if they bought all the copyrights from all the right people, start producing closed source versions. They could also employ all the devs involved and take ownership of the trademark. At that point they have effectively bought metasploit.

      What they can't do is rescind the previous license. It's something that's been tried once or twice but it's a nonsense. If they gave away the source under BSD or GPL or similar F/OSS license then it's out there and the community will always be able to use that version and develop it further, under the same (or different if the company took the TM) name.

      Hopefully things won't get that far and the source will continue to flow, but who knows.

      Anyway, no, you're not naive, buying and closing this stuff requires permission from and probably compensation to all contributors and is only logistically possible on projects where there aren't many of them.

      • Ok, I understand everything you laid out but seems like Rapid7 is "using" the metasploit code - which does not necessarily require them to ouright buy the company. (sidenote: we all agree that they can not rescind what was done in the past. That "stuff" lives forever under whatever license it was released under).

        Why would someone buy anything open-source unless the copyrights came with it? The alternative, is to "use" the open-source product and just conform to GPL or whatever the license
        • I guess Rapid7 wants to do closed source versions in the future. That makes it necessary to buy the copyrights, or at least most of them and re-developing the stuff they could not buy.

          Of course that puts them in competition with whatever open source version other people maintain. A previous example of that would be Interbase by Borland. Borland released the version 6.0 under an open source license, but reconsidered soon after and the next version was closed source again.
          That one open source release was pi

    • If I am the author of a piece of work, I may choose to offer it to the general public under a license, say GPL, LGPL, Creative Commons, whatever. But, say someone with more cash than brains comes along and doesn't want those licenses. In exchange for some consideration (usually cash), I may choose to offer the same code, which I own the copyright to, to them under a different license. Simple.

      In this case, it appears that, in exchange for some consideration (probably cash, but also a job), the author chos

      • In exchange, the original author gets a) a job, and b) the ability to work full time on the code base he's passionate about. And probably some cash.

        How exactly does "a job" and "the ability to work full time" for someone else constitute compensation for something you've already created?

        • Re: (Score:3, Insightful)

          In exchange, the original author gets a) a job, and b) the ability to work full time on the code base he's passionate about. And probably some cash.

          How exactly does "a job" and "the ability to work full time" for someone else constitute compensation for something you've already created?

          If the author of the code agrees that this is sufficient compensation, then it is sufficient compensation. Otherwise, the sale couldn't be made.

          • The authors of the code would do well to work on their negotiating skills. Essentially they're being required to forfeit prior intellectual property as a condition of employment; some would call this "theft" in the absence of any additional consideration. I hope at the very least they have lucrative salaries and a solid employment contract, if not royalties.

            • Indeed, it's a crappy deal - certainly not one I'd take. But a legal one if they agree to it...
            • Re: (Score:3, Insightful)

              by ediron2 ( 246908 ) *

              You're all a pisspool of nattering armchair lawyers bragging about how they'd have won such-and-such case on without even knowing the details. How the *FSCK* would you even know? Did I miss where the terms of the contract were posted online?

              Here are just the scenarios I've seen (or offered) in my own career:

              "Hi, this project you're working on is great -- can we buy a nonexclusive license for $$$?"

              "How much would we have to pay you to focus on functionality that'd do Y? How long would it take?"


        • Re: (Score:3, Insightful)

          "The ability to work full time on the code base" comes from him being employed to do it, i.e. he doesn't need to spend time on other paid projects. Being employed could be considered compensation if he wasn't making any money on the project before, since he'll be getting more money for possibly the same amount of work that he was already doing. Many people (not necessarily the original author, just in general) also prefer the security of a steady job and having other people handle administration, sales, etc
    • by b0bby ( 201198 ) on Wednesday October 21, 2009 @12:10PM (#29824463)

      I doubt I'm smarter than you but... I would guess that the HD Moore guy who ran the project owns the Metasploit name, trademark, domain etc, as well as the copyright on the code. So you can see how all that could be worth something, plus they're hiring him to keep working on it. If they wanted to they could presumably close the source going forward, though he says in his blog post that they're committed to keeping it open. If they can make a popular tool work well with their other products, it might be worth it to them and apparently it is, since they've done it.

      • That's the nice thing in Germany: You can't sell your rights to your inventions/creations. You are always the one who created it. That fact can't change without a time-machine. (Don't dare calling German Urheberrecht a "copyright law". They are very different. And luckily so.)

    • by paimin ( 656338 )
      I read it as the company bought future development, which will be closed. You can't close development that's already open, but you can use that existing development in a commercial product, provided you satisfy th licensing of it.

      In other words, this will be a closed fork.
    • Re: (Score:1, Informative)

      by Anonymous Coward

      According to the website, Rapid7 bought the trademarks, the website, and "rights to the Metasploit Framework", the current version of which "was originally developed by Metasploit LLC and is made available for use by Rapid7 under the 3-clause BSD license."

    • The name of the project is normally trademarked by someone. While somebody can take the open code and fork it under a different name (IceWeasel, for example), they cannot call the fork by the trademarked name (Firefox, for the previous example). Also, the code is still copyrighted by its owners, BSD or GPL are just licenses for what you are allowed to do with the code. In some cases that I have seen (I believe QT does this), the owner of the trademark will require contributors to assign copyright of their c

    • Fork it if you don't want to go corporate; plenty of people did that when MySQL went to Sun.
      • Fork it if you don't want to go corporate; plenty of people did that when MySQL went to Sun.

        After forking it, you'll need a new name of course. I vote metasplit.

    • Well it depends on how you define open source. If it's simply a program that you distribute the soruce code along with it then it's quite easy, you simply sell the ownership/license the code to somebody else since you presumably own all the code this isn't a problem. Similarly with projects that do have 3rd party developers you can stipulate that they relinquish ownership of any contributions they make to the project to you or whatever organization happens to be managing the project. Where it gets tricky

    • Sun basically bought apt-get when it hired the guy that created it. Now it's integrated in OpenSolaris.

      • I thought OpenSolaris had its own package management system. Maybe it is practically apt, but it is not actually apt. Nexenta is an OpenSolaris distro that uses apt, so maybe that is what you are thinking of?

  • Legal minefield (Score:1, Interesting)

    by n3td3v ( 819422 )
    There will be a legal minefield now that a big company with lot's of money owns Metasploit now. I mean the Metasploit web site doesn't even have a privacy policy.

God made the integers; all else is the work of Man. -- Kronecker