I created the Metasploit Project over six years ago as way to publish security information to those who needed it most, the security professionals in the field. The project has evolved from a personal web site, to a collaborative effort with a small group of friends, and finally to the robust community-driven project that we know today. This progress came at the cost of the evenings, lunch hours, early mornings, and weekends of countless contributors who donate their time for the benefit of the community. The volunteer nature of the project has lead to innovation in niche areas and has driven research across a wide range of topics.
During this time, Metasploit has always been a hobby; something I enjoy working on when my current job isn't monopolizing my free time. The project has always taken a back seat to the demands of day to day employment and this has created a bottleneck in terms of project growth. We now receive far more contributions, feature requests, and bug reports that the core team can keep up with in their free time. The project has come a long way, but nearly all patches, module submissions, and new features are still processed by only a few people. The time it takes for us to cut a release has increased as well; it has been almost a year since the last stable version of the Framework was released, with hundreds of new features in the development tree, but no time to test them well enough to consider them ready for a stable release.
All of this is changing. I am excited to announce that Metasploit has beenacquired by Rapid7
and that myself and Egypt will be working on Metasploit as our full-time jobs. I will be taking on the role of Chief Security Officer of Rapid7 as well as Chief Architect of Metasploit. Egypt will join as our first core developer. In addition, we are hiring an exploit developer, user interface designer, and mostly importantly, a QA engineer, all dedicated to making the Metasploit Framework the best penetration testing product available. Rapid7 has committed to keeping the project open source, with no plans to change the license or the community development model. What will be changing is how fast we add new exploits, integrate new features, and release new versions. By backing Metasploit, Rapid7 will benefit from the extensive security research experience of the Metasploit team and use this to enhance its existing NeXpose product line.
Rapid7 was the right company for Metasploit for a number of reasons. First and foremost, they understand the value of the community have seen the benefits that funding a project like Metasploit can provide since our first conversation. Second, the management team at Rapid7 is made up of some brilliant folks. They may not be exploit developers, but they understand business and how to make a marriage with Metasploit increase their own bottom line without destroying the value of project in the process. Third, Rapid7 has an amazing technical staff and a solid vulnerability management product. There are only a few companies in the world that understand how much work is involved in doing vulnerability assessments right, and this team has been doing it for over 9 years. Lastly, Rapid7 has an enormous QA lab, with the ability to perform regression testing across a massive array of operating systems and patch levels. The combination of their staff and technical resources will allow the Metasploit Framework to make a huge leap ahead in the coming months.
To the members of the community who have been contributing their time and mindshare, thank you! The best way to show our dedication is by demonstrating that we mean what we say. In the next six months, we will hammering out Metasploit Framework releases that benefit from the dedicated resources provided by Rapid7 and illustrate exactly what we can do now that we can fully focus on the framework. If you have any questions or comments, you can email me at hdm[at]metasploit.com or join our IRC channel (#metasploit on irc.freenode.net). The Metasploit web site has been updated to include a FAQ about the acquisition, as well as links to the announcement on the Rapid7 web site as well.