Paul is right. There are certain apps which can move around (within my home
network) as well as open different ports. This may go against a good
security policy, but a well behaved UPnP setup can actually be *more* secure
since the ports close when the app is shutdown.
I have a video chat program that I use with my Dad and it utilizes UPnP.
Bitorrent clients can also be setup to do the same. I also use pfSense the
way Paul described. I lock down the ports and apps that can be used so it's
partially static. Nothing is using UPnP on my home network without my
knowledge, which is something that can't be said in a corporate environment.
I recommend the developers take a look at the way pfSense implemented their
UPnP support. As was mentioned before, it can be disabled by default on