The recent news on Forbes about our Exploit Acquisition Program has generated a lot of interesting speculative controversy and curiosity. As a result, I’ve decided to take the time to follow up with this blog entry. Here I’ll make a best effort to explain what the Exploit Acquisition Program is, why we decided to launch the program, and how the program works.
- Researcher contacts Netragard.
- Researcher and Netragard execute a Mutual Nondisclosure Agreement.
- Researcher provides a verifiable form of identification to Netragard.
- Researcher fills out an Exploit Acquisition Form (“EAF“).
- Netragard works with the buyer to determine exploit value based on the information provided in the EAF.
- Researcher accepts or rejects the price. Note: If rejected, the process stops here.
- Researcher submits the exploit code and vulnerability details to Netragard.
- Netragard verifies that the exploit works as advertised.
- If the exploit does not work as advertised then the researcher is given the opportunity to resolve the issue(s).
- If the exploit does work as advertised then the purchase agreement is delivered to the researcher.
- Researcher executes purchase agreement and transfers all rights and ownership of the exploit and any information related to the exploit to Netragard. At this point researcher loses all rights to the exploit and its respective information.
- Netragard begins the payment process.
- Payments are issued in three equal installments over the course of three months.
- Netragard requires exclusivity for all exploits purchased through the EAP.
- Ownership of the exploit and its respective vulnerability information are transferred from researcher to Netragard at step 11 above. Prior to step 11 the exploit and its respective vulnerability information are the intellectual property of the researcher. If at any point before step 11 the researcher terminates the acquisition process then Netragard will destroy any and all information related to failed transaction. Termination of sale is not possible after step 11.
- Netragard will not identify its buyers.
- Netragard will not identify researchers.
- All transactions between buyer, Netragard and developer are done legally and contractually. At no point will Netragard engage in illegal activity or with unknown, untrusted, and/or unverifiable sources or entities.