Corellium is dedicated to the lawful, intended use of our technology, and to promoting and protecting human rights. We take our responsibility seriously and are vigilant in ensuring that our actions and relationships are principled and lawful. We respect civil liberties and privacy and understand our role as a company to help uphold them. That’s why we take measures to restrict sales of our products, and why we implement restrictions beyond what’s required by U.S. law. Our company’s resolution to this is especially true as we continue to expand into new markets worldwide.
As part of this commitment, we limit the availability of our products according to their capabilities. For example, we limit certain products with advanced capabilities strictly to federal FVEY government agencies, while other products are available for enterprises or for individuals.
Across all of our product lines, we can confidently affirm that we have never made our technology available in countries or to entities that are sanctioned by the United States. All of our customers, both individual and enterprise, are checked against the Office of Foreign Assets Control (OFAC) sanctions lists.
Corellium maintains a limited list of countries where our on-premises security-research products are permitted to be sold. This list of 22 countries includes only the United States and close US allies where the rule of law is clearly established and where democratic institutions provide clear protections for individual liberty. Corellium permits the sale of its enterprise pen-testing cloud products in 50 additional countries. These lists are informed by resources such as the Economist Intelligence Unit’s Democracy Index and Freedom House’s Freedom in the World Report. Corellium has implemented multiple layers of procedural and technical enforcement for these restrictions, which are maintained by our security team.
Corellium also maintains a list of known bad actors, which are explicitly prohibited from purchasing or using Corellium licenses, directly or indirectly, even if they may operate or have offices in countries that are otherwise permitted. This list of entities is informed by resources such as reports from Google’s Threat Analysis Group (TAG), the Citizen Lab, the Atlantic Council, and Amnesty International. It is also informed through consultation with members of the security community, members of US government agencies, and internal research.
In addition to geographic and entity-based restrictions, Corellium also performs “know your customer” vetting for its enterprise-grade products, such as validating the representative’s identity, validating the organization’s location, understanding the organization’s use case. and checking the background of the organization. If we are unable to sufficiently validate this information, then we exercise discretion not to conduct business with that organization; and in cases where we suspect that an organization may be a bad actor, we report the organization to federal authorities.
Corellium has also established a Customer Review Committee, which reviews requested exceptions to geographical sales limitations. For example, if a reputable company, such as one of the world’s largest banks, has a pen-testing office in a country that is not on the allowed list, the Customer Review Committee may assess an exception for a sale. The Customer Review Committee is also responsible for annually reviewing the allowed and disallowed countries list, as well as the banned entities list.
This is not to say that our sales team never engages with entities to whom we later decide not to sell. Our sales team may not know enough about an organization at first to make that kind of determination, which is why we have a vetting process.
Of course, our vetting process has evolved over time to keep up with changes around us. When we were preparing to launch our first cloud product in 2019, we promoted a free seven-day trial of our beta to garner community interest; and we got tens of thousands of signups. Individuals from organizations that would not have qualified under our current vetting process received automated invites for trial accounts, including NSO, DarkMatter, and others. To be clear, none of these entities ever became customers.
Some have suggested that these beta trial signups are evidence we “do business” with “bad actors.” But the truth is that it is evidence of the opposite. We have had opportunities to profit from these bad actors and have chosen not to. That is why the United States District Court dismissed Apple’s claims that we deal with bad actors as “puzzling, if not disingenuous,” and observed that the evidence in the record shows our company has repeatedly “exercised its discretion to withhold the Corellium Product from those it suspects may use the product for nefarious purposes.”
Corellium is further committed to promoting and protecting human rights by providing free accounts for journalists and human rights defenders, as we have done since the launch of our cloud product. Our suite of mobile security products is purposefully designed to help good-faith security researchers, testers, and developers analyze and improve the security of iOS and Android software for all users.