Last updated at Wed, 26 Jul 2017 16:32:01 GMT
Hi, I'm the product manager here at Rapid7 and one of the many people behind the Community Edition. I joined Rapid7 in July after spending my last eight years with Red Hat. Before that, I worked at another open source software company. Naturally, I have strong opinions on why open source and community-driven software is a fundamentally better way to build and release software.
With that as a background, I thought I'd take some time and explain the motivation and philosophy behind NeXpose community Edition and why we decided to do it. At Rapid7, we've always been big believers in open disclosure as the best way to improve security. The community-driven security process works. In the software industry, the momentum is clearly a trend towards openness and community. Some software companies are doing it just for the marketing (and it shows), but many others are actively embracing community and openness as part of their DNA. It's not necessarily an easy or free process, but at the end of it, there are incredible benefits – starting with better software and happier customers.
As a group, we looked at the security market and at vulnerability management in particular, and we didn't see a transition from closed to open. Surprisingly, we saw the opposite – a trend from open to closed. We think that this is bad for security, bad for customers, and bad for the community. And so it became apparent that releasing a free, unrestricted version of NeXpose would be a good thing.
But before we did that, I wanted to have a conversation internally about why we were doing it. I wanted to make sure that Rapid7 as a company was committed to investing in the community, instead of just releasing a free version of NeXpose and then hoping a community would materialize, because communities don't just appear for free. So we had some active, spirited conversations about this and we decided, as a company, that we are committed to building a community.
We then had the debate about what features to include in Community Edition. After all, we are a for-profit company and we do have a duty to our shareholders to make money. Simultaneously, we wanted something that would be generically useful for everyone, and not just for a few. So we decided that, while we would impose some limitations (mostly around the number of IPs and some enterprise features), we would actually release with a license that does not restrict use as well as real-time vulnerability updates (including our 24 hour Microsoft patch Tuesday updates).
So, after that decision, in the last quarter of 2009, Rapid7 dramatically expanded the number of full-time engineers working on the free, open source version of Metasploit. We launched NeXpose Community Edition with flexible license terms and real-time vulnerability updates. We released Metasploit NeXpose integration. We launched community.rapid7.com . We've responded to some of the initial feedback from the community, with more reporting functionality and improved usability. We've just barely started and we won't stop. Stay tuned for more.