It’s official, the Metasploit project convinced by HD Moore has been acquired by Rapid7 an Information Security company (better known for it’s vulnerability assessment product NeXpose).

What does this mean for the future of this great open source project that many have learned to love (and I suppose hate) over the years? Well, according to it’s creator it can only make it better. Having Metasploit go commercial means a budget, an actual QA departement, a full time dev-team and more quality exploits.

Here are a few things that Rapid7 had to say:
“As a result of our union, we will be able to bring superior data on exploitability to our customers, helping them to prioritize and remediate key security issues. The exploit data will be directly embedded in our vulnerability management solution NeXpose, providing a whole new level of risk analysis capabilities to our clients, while ensuring that NeXpose, which will continue as a separate product, delivers the safest, most proactive and actionable vulnerability scanning capabilities in the industry.

That sounds pretty good, but something does bother me. “
The exploit data will be directly embedded in our vulnerability management solution NeXpose” As far as I’m concerned, this means NeXpose will be feeding off Metasploit’s better parts. Guess it’s normal, they just acquired it and can probably do what ever they please. Making NeXpose an even better product in the end. What will happen when Metasploit has nothing left to feed it? What will happen then?
Finally, the combination of NeXpose and Metasploit will enable Rapid7 to continue to grow its relationship with partners and consultants…

Does this mean, eventually Metasploit will depend on NeXpose? Should we expect sometime in the future a message saying something like “…this feature requires you install NeXpose…” ?

Another little bit that has brought me some concern comes from Moore’s statement on his blog:
From a user’s perspective Metasploit will still be free. All of the important bits are going to remain open-source…

Which important bits? Let’s face it, the whole framework is pretty important and down right incredible. Will the exploit be Open Source? Will it be the framework’s inner workings? I guess only time will tell…

Don’t get me wrong, I am extremely happy for Mr.Moore and the rest of the Metasploit team. They created an Open Source application to help the community. If they can make money and continue working on something they started off as a hobby… Well Congratulations! I don’t think anyone would object to that. Let’s face it, having a piece of code (big or small) being picked up by a commercial enterprise must be rewarding as hell.

My concern is, what will happen to Metasploit down the road… after a few years. History has a tendency to repeat itself. In the past Open Source projects acquired by commercial entities have been known to slowly, but surely, transform the Open Source product into a closed one. Of course this is not always the case.

Another thing, what will happen to Offensive Security’s MSF certification? Will they have as much support and cooperation now to keep the study material up-to-date? Will they be limited by the bits of the project that will not be Open Source? Then again, it may not be affected at all.
As mentioned by muts (Mati Aharoni lead developer of Back|Track and CEO of Offensive Security), I guess MSFU won’t suffer from Metasploit’s acquisition. Sorry muts for not seeing (or reading) that detail.
Offensive Security Official MSF training partner

So to end this, again congratulations are in order to the whole Metasploit team. I’m extremely happy for you all. Transforming a hobby into career is not always easy.
Good luck, have fun

Metasploit/Rapid7 FAQ