The slides from the talk egypt and I gave at SecTOR 2008 are now online. One of the highlights was a change in licensing -- instead of the existing EULA-like license, the 3.2 release will be provided under the 3-clause BSD license. The text below is an extended version of a rant I shared with Kelly Jackson Higgins over at Dark Reading.
The original version of Metasploit (1.0 and 2.x) was available dual-licensed under the GPL and Perl Artistic License. The goal was to make the framework interoperable with other security tools and help out other open source developers with a well-written codebase. However, once Metasploit 2 started to pick up steam (50,000 users), we started to see commercial entities take advantage of the license to the detriment of the project.
In one case, a product vendor was selling laptops containing Metasploit 2 for the sole purposing of demonstrating how their product could detect it. The original license allowed for this, but we do want people who use the software to contribute back, and we want to make sure that any "demo" use is based on the original version of the software and not one that a vendor has modified. We never saw a bug fix, patch, or suggestion from the group within that vendor which was using it for this purpose. We want the Metasploit name to be consistent with a certain level of quality, which we could not guarantee when a vendor was using a possibly modified version to demonstrate their product's detection capabilities.
In other example, we noticed that a company which specializes in vulnerability assessment products had a Google Adword on the term "Metasploit". When we followed the link back their web site, we saw a commercial exploit product which appeared to have exploit-for-exploit coverage matching the Metasploit Framework. Eventually, I spoke with a developer and a manager at this company and determined that they were not actually using the framework code. They were, however, using the Metasploit Framework as a reference to create their own "competitive" product. Again, this falls within the rules of the license, but between the Google Adwords, the competitive marketing materials, and the lack of any feedback, patches, or bug reports, we considered this to be a truly offensive use of our code.
When we (the original three developers of 2.x) started to work on the 3.0 version, we decided to take a new approach to licensing. We created a company to hold the rights to the new source code, transferred our copyrights to this company, and hired a lawyer to draw up a suitable license with our requirements. The goal was not to prevent commercial use, but to keep commercial entities from harming our project by using our own code against us. Once the new license was announced, we were suprised by the amount of support we received from the community. Our new license granted us redistribution rights to all contributions we received. Our contributors were still happy to send in patches and improvements under this license.
Fast-forward two years and we have a codebase of over 300,000 lines of Ruby code (not including all of the assembler and C), a massive user base, a strong community of contributors, and a decent reputation as a software project. The license successfully prevented the types of abuses that we found so annoying with the 2.x versions. Since the original 3.0 release, there have been some organizational changes within the project, including the loss of both spoonm and skape as core developers. Filling their shoes are mc, egypt, patrickw, et, I)ruid, ramon, pusscat, and a handful of other folks from the community.
Of the three members of the holding company that owns the Metasploit source code and trademarks, I am the only one still involved in the project. This situation is what lead to the new license. We have a new group of core developers and a handful of contributors who were limited in what they could do with the framework ecause of the license. Since the 3.0 release, the project has come a long way, both in terms of features and industry recognition. We believed that changing the license to be as open as possible (BSD 3-clause is early public domain) would not only be fair to the new developers, but allow us to expand beyond the original goal as an exploit platform and become the basis for wide variety of new projects.
The new license will lead to commercial abuse, but I believe that the project is now strong enough to succeed even with competition from commercial entities that are using our source code. The key to our success is the Metasploit community and our dedication to sharing security information (and code) in a timely fashion. Metasploit is great at destroying FUD, whether the source is an incompetent product vendor or a media-happy security company.
The new license allows a new level of customization and purpose-specific derivatives. Its entirely likely that we will see new projects targeted at individual sectors and applications (SCADAsploit, anyone?), which we hope will filter some improvements back to the core project. By opening the license to the entire Metasploit codebase, we have let the proverbial cats out of the bag, its now just a matter of counting kittens.