Thanks for your interest in making Metasploit more secure! If you feel that you have found a security issue involving Metasploit, Meterpreter, Recog, or any other Rapid7 open source project, you are welcome to let us know in the way that's most comfortable for you.

You can click on the big orange button at Rapid7's Vulnerability Disclosure page, which will get you to our general vulnerability reporting system. While this does require a (free) ZenDesk account to use, you'll get regular updates on your issue as our software support teams work through it. As it happens that page also will tell you what to expect when it comes to reporting vulns, how fast we'll fix and respond, and all the rest, so it's a pretty good read regardless.

If you're more of a traditionalist, you can email your finding to security@rapid7.com. If you like, you can use our PGP key to encrypt your messages, but we certainly don't mind cleartext reports over email.

Please don't! Disclosing security vulnerabilities to public bug trackers is kind of mean, even when it's well-intentioned, since you end up dropping 0-day on pretty much everyone right out of the gate. We'd prefer you didn't!