Core Impact is considered a weapon by the US government and the government doesn’t want this tool used against it, or American companies. For this reason it imposes the requirement for Core Impact to have an Export License.
The US have a list of countries to which nothing can be sold (North Korea, Cuba etc.). They also have a slightly longer list of people that companies must avoided selling to. This is discussed well here: https://en.wikipedia.org/wiki/United_States_sanctions
Product Based Export Controls
The US then have another layer where certain products cannot be sold to particular countries. Selling pots and pans to Russia is fine, selling F16 fighters, less so. They also make this harder by saying that certain technologies cannot be sold to listed companies; so no modern processors to Huawei for example.
How does this affect Core Impact and an Export License?
The rules are very complex but in summary they work like this:
- Nothing to embargo counties
- Nothing to China or Russia
- Government controlled entities in other countries require approval (an Export License)
- All commercial companies, outside items 1 and 2 above, are ok, no license needed
Is this just Core Impact?
No this is other products like Core Impact too. Metasploit open source, doesn’t require a license (I don’t understand why) but the commercial version from Rapid7 does require a license; they discuss it here: https://www.rapid7.com/export-notice/. The excellent Hak5 products are also heavily restricted. https://shop.hak5.org/pages/export-compliance
This still impacts you, even if you are not in the affected group
Core have a small internal clearance process that they run through for every order. This is to double check that “Boris Johnson, based in London”, isn’t really Vladimere Putin based in Russia.
To complete this verification they need:
- Company formal name
- Company registered address
- Web site
- End user name
- End user email
They will not accept Gmail, Hotmail or similar email addresses. If is much easier if all the details match, so for example: S4 Applications Limited, with a web site called www.s4applications.uk, and email addresses firstName.lastName@s4applications.uk.
How long will it take?
This is the US government that gets shut down from time to time, which builds a backlog. The quickest I have seen is 2 months, the longest 10 months.
Roughly speaking, the closer a country is to America’s world view, the quicker the license comes back.
Will I get an export license?
We have never had one declined, but we have had restrictions placed upon the license. This is typically to restrict the ability to test public IPs to ones that you own. As this applies to government agencies, this is not normally an issue because most government agencies just want to test themselves.
This experience is based upon working in Europe, Middle East and Africa; I have no idea in Asia or South America, but would assume something similar.