Users with currently valid licenses should not be affected.
Users outside the US and Canada will have to apply for a license for Metasploit penetration testing software and provide some additional details about themselves in order to get it, as per the latest US export regulations it is subjected to.
The screening process focuses on both the paid (Pro) and the free (Community) editions, regardless if the distributor of the product is Rapid7 or a third party.
Non-governmental users should be eligible
“In accordance with the new requirements, the request will be reviewed by Rapid7 and, unless the user is a non-US or non-Canadian government agency (or is otherwise ineligible to receive the products without approval from the US Department of Commerce), the request will be fulfilled,”.
The reason for this is that Metasploit uses encryption, and all US products using this kind of technology are open to export regulations. Apart from this, software pieces dedicated to security intrusion activities have started to face increasing regulatory reviews and restrictions.
Reviewing the info delays license delivery
However, the wait time for obtaining the license will increase due to the information screening process. If complete and accurate details are provided, the company says that the wait should not take more than 48 hours.
All those who already have an active Metasploit license should not be affected by the change for now, but will face the same rigor when the license expires.
Rapid7 “will follow the appropriate US and foreign government regulations and seek authorization to continue serving our customers who already have licenses, but cannot guarantee the success of these applications to continue usage in the future.”
The restrictions do not apply to Metasploit Framework, which is an open source project and remains available for download outside the US and Canada under the same conditions as before.