[phlo]

Metasploit is a bit like a knife. You can use it to chop vegetables or stab people, and depending on who wields it, and in what circumstances, either of the outcomes is more likely.

I'm not arguing against the development on Metasploit though, and neither do I want to make an argument against vulnerability research. Every time Tavis Ormandy takes a shower, an AV vendor runs for cover; and on Christmas each year, Karsten Nohl cancels the vacations for some legacy system developers. That's a good thing, because those guys report their findings. They push vendors to fix the vulnerabilities, and they improve the security of systems we all depend on, every day.

Governments should do the same thing. I am all in favor of investing more in vulnerability research, but we need a process of disclosure. Stockpiling vulnerabilities puts everyone at risk, with little benefits.

Circling back to Metasploit: Yes, it makes work easier for cybercriminals. But even just the knowledge that a vulnerability will be available as a module quickly may be enough to make some vendors think twice about not reacting to a disclosure email, whether it's from Project Zero, independent researchers, or (hopefully more often) government CERTs.