How we vet our customers

How we vet our customers

Recently, our sales team turned down a six-figure deal because we had reason to believe the would-be-customer had ties to actors known for weaponizing iOS exploits to conduct genocide in China.

This wasn’t the first time we turned down a large sales opportunity to an organization that didn’t pass our vetting process. Over the course of our company’s history, we’ve turned down millions of dollars in sales to organizations we suspected might use our product for malicious purposes.

Our team is strongly committed to promoting and protecting human rights. That’s why we take measures to restrict sales of our product, and we don’t simply adhere to restrictions required by U.S. law, such as prohibitions against selling to organizations in sanctioned countries or on the Entity List. Rather, we apply even more rigorous internal standards to restrict sales.

This isn’t to say that our sales team has never engaged with entities we later decided not to sell to. Sometimes our sales team doesn’t know enough about an organization at first to make that kind of determination, which is why we have a vetting process.

Of course, our vetting process has evolved over time to keep up with changes around us. When we were preparing to launch our first cloud product in 2019, we promoted a free seven-day trial of our beta to garner community interest, and we got thousands of signups. Individuals from organizations that wouldn’t have qualified under our current vetting process received automated invites for trial accounts, including NSO, DarkMatter, and others. To be clear, none of these entities became customers.

Some may argue that these beta trial signups are evidence we “do business” with “bad actors.” But the truth is it’s evidence of the opposite. We’ve had opportunities to profit from these bad actors and have chosen not to. That’s why the District Court dismissed Apple’s claims that we deal with bad actors as “puzzling, if not disingenuous,” and observed that the evidence in the record shows our company has “exercised its discretion to withhold the Corellium Product from those it suspects may use the product for nefarious purposes.” 

Our vetting process is first informed by certain sales guidelines, such as time and location restrictions. All trials are cloud-based, and they can only be used for a limited number of hours before expiring. We restrict sales of our cloud products to fewer than sixty countries, and our restrictions for shipping our on-site products are even more stringent. There are also certain organizations on our “block list,” which we update as new information becomes available. 

Our vetting process gets progressively more intensive the further an organization moves through the sales pipeline. When someone signs up for a cloud trial, we apply automated checks and perform a cursory manual review, including an OFAC (Office of Foreign Assets Control) search. When someone requests a quote for our on-site product, we will research an organization in considerably more detail. 

This research would typically include, at a minimum: 

  • Detailed conversations about their use case
  • Inquiries with our trusted contacts in the security community, including contacts at various US government agencies
  • Evaluation of the organization’s online presence and social media, including information such as media reports, research contributions, social mentions, and security conference attendance
  • Investigation into the organization’s ownership, corporate structure, and employees. 

Based on this research, and other considerations, we make a final determination.

Corellium is committed to promoting and protecting human rights. Since the launch of our cloud product, we’ve provided free accounts for journalists and human rights defenders, and we regularly sponsor security research trainings. Our suite of products is purposefully designed to help security researchers and engineers analyze and improve the security of iOS and Android software.

We are tremendously appreciative of the support that our customers and our community have given us throughout our company’s history. If you have any additional questions about our vetting process, or advice on how we can continue to improve it, please don’t hesitate to reach out.