Exploit Acquisition Program - More Details

The recent news on Forbes about our Exploit Acquisition Program has generated a lot of interesting speculative controversy and curiosity. As a result, I've decided to take the time to follow up with this blog entry. Here I'll make a best effort to explain what the Exploit Acquisition Program is, why we decided to launch the program, and how the program works.

What it is:

The Exploit Acquisition Program ("EAP") officially started in May of 1999 and is currently being run by Netragard, LLC. EAP specifically designed to acquire "actionable research" in the form of working exploits from the security community. The Exploit Acquisition Program is different than other programs because participants receive significantly higher pay for their work and in most cases the exploits never become public knowledge.

The exploits that are acquired via the EAP are sold directly to specific US based clients that have a unique and justifiable need for such technologies. At no point does Netragard sell or otherwise export acquired exploits to any foreign entities. Nor do we disclose any information about our buyers or about participating researchers.

Why did we start the EAP?

Netragard launched the EAP to give security researchers the opportunity to receive fair value for their research product. Our bidding prices start at or around $15,000 per exploit. That price is affected by many different variables.

How does the EAP Work?

The EAP works as follows:

1. Researcher contacts Netragard.
2. Researcher and Netragard execute a Mutual Nondisclosure Agreement.
3. Researcher provides a verifiable form of identification to Netragard.
4. Researcher fills out an Exploit Acquisition Form ("EAF").
5. Netragard works with the buyer to determine exploit value based on the information provided in the EAF.
6. Researcher accepts or rejects the price. Note: If rejected, the process stops here.
7. Researcher submits the exploit code and vulnerability details to Netragard.
8. Netragard verifies that the exploit works as advertised.
9. If the exploit does not work as advertised then the researcher is given the opportunity to resolve the issue(s).
10. If the exploit does work as advertised then the purchase agreement is delivered to the researcher.
11. Researcher executes purchase agreement and transfers all rights and ownership of the exploit and any information related to the exploit to Netragard. At this point researcher loses all rights to the exploit and its respective information.
12. Netragard begins the payment process.
13. Payments are issued in three equal installments over the course of three months.

EAP Rules

1. Netragard requires exclusivity for all exploits purchased through the EAP.
2. Ownership of the exploit and its respective vulnerability information are transferred from researcher to Netragard at step 11 above. Prior to step 11 the exploit and its respective vulnerability information are the intellectual property of the researcher. If at any point before step 11 the researcher terminates the acquisition process then Netragard will destroy any and all information related to failed transaction. Termination of sale is not possible after step 11.
3. Netragard will not identify its buyers.
4. Netragard will not identify researchers.
5. All transactions between buyer, Netragard and developer are done legally and contractually. At no point will Netragard engage in illegal activity or with unknown, untrusted, and/or unverifiable sources or entities.

If you are interested in selling your exploit to us, please contact us at eap@netragard.com.