Wednesday, January 17, 2007

Exploit Acquisition Program

Netragard, L.L.C. is currently purchasing 0day exploits for dollar amounts that are significantly higher than those offered by other companies. If you are interested in selling your exploits and getting their real market value then please contact us. Before you do, please read the requirements and the rules listed below.


Mandatory Requirements:
  1. Contract - You must be willing to sign a contract that binds you to Netragard, L.L.C. This contract will define all terms and conditions.
  2. Functionality - Your exploits must work as advertised. Submitting any exploits that are broken will result in you being banned from the program.
  3. Non-Malicious - Your exploits must not contain any "secret" or "hidden" or "malicious" code. Any such code will result in you being banned from the project.
  4. Exclusivity - You must guarentee exclusivity to Netragard, L.L.C.. These exploits must not have been distributed to any third parties. If Netragard purchases an exploit from you and the exploit surfaces someplace else, you will be banned from the program and may be required to repay Netragard in full.
  5. Process - Netragard has a well defined process that it follows during the purchasing of exploits. You must agree to follow this process.
  6. Rejection - Netragard reserves the right to reject or deny a purchase at any time during the process. If an exploit is rejected it remains your propery and it will not be used in any way by Netragard. You also have the right to reject at any time. If you reject then the exploit remains your property.
  7. Purchase - When Netragard purchases an exploit you surrender all rights to the exploit. You may never discuss the exploit with any third parties, you may never distribute the exploit, and you may never use the exploit.
  8. Random - Netragard will accept exploit submissions that are not a part of the target list. If you have any exploits that do not match our target list then please feel free to fill out an Exploit Acquisition Form and ship it to exploits@snosoft.com. Netragard will then determine if the exploit is of interest.
  9. Time Requirements - The time to move from acquisition to payment may be a long as 4 months depending on the nature of the exploit and the work load faced by Netragard's engineers. Never the less, the payout will be very much worth the wait.
  10. NO-POST - DO NOT POST ANY INFORMATION ABOUT YOUR EXPLOITS OR YOUR RESEARCH TARGETS TO THIS BLOG!!! ONCE AN EXPLOIT HAS ANY PUBLIC EXPOSURE ITS VALUE IS GONE!!!
The Process (refined since you last read it)
  1. You find a vulnerability and code an exploit.
    1. The exploit MUST WORK WITHOUT FAULT OR FAULURE AND IT MUST BE EXCLUSIVE TO YOU. IF IT DOES NOT WORK WELL OR IF IT IS NOT EXCLUSIVE DO NOT PROCEED TO STEP 2!!
  2. You fill out the Exploit Acquisition Form ("EAF")
    1. Email exploits@snosoft.com if you do not already have an EAF.
  3. Send the EAF to exploits@snosoft.com
  4. Netragard will determine if the exploit is of interest. If it is then you will receive an email with pricing information or you will receive an email with questions about the exploit. If it is not of interest, then you will receive an email saying that it is not of interest.
  5. If you are interested in selling for the price offered, then agree to the email. If you are not interested, then disagree.
    1. If you agree to sell the exploit for the price set by Netragard then you must encrypt the exploit and email it to adriel@netragard.com. The PGP key for encrypting the exploit is provided here. (http://www.snosoft.com/pgpkey.asc)

  6. Once Netragard receives the exploit the exploit will be vetted by the Netragard research team. If the exploit works as advertised and is clean in nature, Netragard will issue payment.
  7. If there are any issues, Netragard may reject the deal.
If you are still interested and would like me to provide you with a list of targets then I will happily help you out. Feel free to contact me at exploits@snosoft.com and make the subject 2007EXPLOIT, that way I will get alerted and you will get an auto-reply with the target list. If you want to receive the very generic rules email then send with subject 2007RULES.

Important Note: All sales are legal and above board. All buyers are U.S. based.

(If you have any questions I can personally be reached on MSN. My email address is adriel_at_netragard_dot_com).
Posted by Adriel Desautels at 11:32 AM

9 comments:

Anonymous said...

And what would be your cut?

January 17, 2007 10:02 PM
Simon Smith said...

My cut is a finders fee, nothing more. I'm doing this to help researchers such as you get better value out of their work. My goal is to drive the prices up for all areas of this market so that researchers aren't getting taken advantage of.

January 18, 2007 8:42 AM
Anonymous said...

Hi, how much time it usually takes to verify EAF and make an offer?

January 31, 2007 9:12 AM
Simon Smith said...

Anonymous, it can take anywhere from one week to one month to decide if an EAF contains an item of interest.

March 19, 2007 4:03 PM
annerose said...

These comments have been invaluable to me as is this whole site. I thank you for your comment.

June 11, 2007 4:14 AM
Simon Smith said...

Annerose. I'm happy that this site has been useful to you. I'm not sure that there is much strong content here yet, but there will be as we perform future work.

June 15, 2007 4:43 PM
Anonymous said...

can we get an average for the last few exploits? not which ones just costs? cause i want to submit one but i am not sure if i should go here or the other guys.... 3com, etc.

January 23, 2008 2:26 PM
Simon Smith said...

We're starting a new blog called bugbroker.blogspot.com. This is where we will answer all of our Exploit Acquisition Program questions.

January 23, 2008 4:46 PM
website design New York City said...

nice article

January 29, 2009 3:52 AM

Post a Comment

Subscribe to: Post Comments (Atom)