Menu Close

Core Impact Export Licenses

Core Impact is considered a weapon by the US government and the government doesn’t want this tool used against it, or American companies.  For this reason it imposes the requirement for Core Impact to have Export Licenses.

Embargo Countries

The US have a list of countries to which nothing can be sold (North Korea, Cuba etc.).  They also have a slightly longer list of people that companies that need to be avoided too.  This is discussed well here: https://en.wikipedia.org/wiki/United_States_sanctions

Product Based Export Controls

The US then have another layer where certain products cannot be sold to certain places.  Selling pots and pans to Russia is fine, selling F16 fighters, less so.  They also make this harder by saying that certain technologies cannot be sold to certain companies; so no modern processors to Huawei for example.

How does this affect Core Impact?

The rules are very complex but in summary they work like this:

  1. Nothing to embargo counties
  2. Nothing to China or Russia
  3. Government controlled entities in other countries require approval (an Export License)
  4. All commercial companies, outside items 1 and 2 above, are ok, no license needed
core security s4apps

Is this just Core Impact?

No this is other products like Core Impact too.  Metasploit open source, doesn’t require a license (I don’t understand why) but the commercial version from Rapid7 does require a license; they discuss it here: https://www.rapid7.com/export-notice/

FAQ

Will I get one?

This is the US government that gets shut down from time to time, which builds a backlog.  The quickest I have seen is 2 months, the longest 10 months.

Roughly speaking, the closer a country is to America’s world view, the quicker the license comes back.

Will I get one?

We have never had one declined, but we have had restrictions placed upon the license.  This is typically to restrict the ability to test public IPs to ones that you own. As this applies to government agencies, this is not normally an issue because most government agencies just want to test themselves.

This experience is based upon working in Europe, Middle East and Africa; I have no idea in Asia or South America, but would assume something similar.