Re: Metasploit Rising

[Ben Greenfield <bcg () struxural com>]

Congratulations to everyone.  I see this as a very positive move, both
for Rapid7 and for the project.

Personally, as someone who works for a cybersecurity company that
purchases all kinds of licenses each year (Nessus, Burp, GFI, etc), I
would absolutely be willing to pay for Metasploit (assuming the
pricing is realistic, unlike Core which IMO is not affordable or
priced reasonably).  I guess I would just ask that if the project
moves to a subscription model to make the costs somewhere between Burp
and Nessus.  I think Burp is an outstanding value, and Nessus is
terrific, but I think the pricing is a little heavy handed.  Core just
isn't realistically priced in my opinion.

Congratulations again, I'm sure that the project will benefit a lot
from full time development.



On Thu, Oct 22, 2009 at 9:21 AM, HD Moore <hdm () metasploit com> wrote:
> On Thu, 2009-10-22 at 11:20 +0300, Siim Põder wrote:
> > Just wondering what would "acquire" mean in the context of an open
> > source project? As far as I understand, this should mean a
> > non-exclusive patronship of a company supporting the development of a
> > project by hiring people to develop/manage it full time. Similarily as
> > many companies could be said to have "acquired" linux kernel? Or was
> > there an actual "Metasploit" entity that was bought?
>
> This has been a frequent question, let me start with some history:
>
> When skape, spoonm, and I started on the rewrite from Perl to Ruby, we
> also took steps to make the IP rights easier to enforce. The reason for
> this was to prevent a third-party from ripping off our work before we
> even had a functional tool. To this effect, Metasploit LLC was created
> as a three-member partnership, and each of the original developers
> assigned their copyrights to the LLC. In return, we each received the
> equivalent of a personal BSD license to the sum of the code. The public
> license for version 3.0 and 3.1 was a commercial-style EULA that had a
> clause providing the LLC with rights to incorporate any changes made by
> third parties. I personally owned the domains, trademarks, and many of
> the original copyrights (going back to 1.0). The LLC also owned training
> materials and other documentation.
>
> In 2008, both skape and spoonm left the project to work on other
> ventures. This left me as the sole partner of the LLC, but without a
> real development team. I converted the LLC to a sole proprietorship and
> changed the license of the framework to BSD. With the 3.2 release, all
> of the code owned up to that point by the LLC was relicensed under the
> 3-clause BSD license, and the MSF_LICENSE alias in the modules was
> updated to reflect this. All contributions back to the tree would only
> be accepted under the BSD license (excluding some third-party stuff as
> identified in the README). This change made it easier to bring new
> developers into the project.
>
> What Rapid7 acquired is the combination of my personal and the LLCs
> assets. This includes all rights to the 3.x code base up to 3.2 in
> whole, plus specific rights since 3.2, the trademarks, domains, web site
> content that was authored by the LLC, training materials, and a number
> of other things that were not actually public. This isn't limited to
> just the Metasploit Framework, but also includes things like
> Decloak.net, the WarVOX project, and a few unpublished works. Rapid7 is
> sponsoring the project in that sense that they are funding dedicated
> resources, but its a much more than just a sponsorship.
>
> The result is closer to the ClamAV acquisition by Sourcefire (as far as
> I can tell, details of that were not made public), and less like the
> Tenable/Nessus or IBM/Linux models. We plan to continue development
> under pretty much the same model. The only major change is that I have
> help doing the "boring" backend work, quality testing, and preparing
> releases. Rapid7 is committed to the open source model and keeping the
> BSD license.
>
>
> -HD
>
>
>
> _______________________________________________
> https://mail.metasploit.com/mailman/listinfo/framework
_______________________________________________
https://mail.metasploit.com/mailman/listinfo/framework