EAR compliance — ECCN 4D004 (conditional)
Status — read first
Fulcrum and Bulwark are a proposed design, not operational software. The classification analysis on this page is conditional: it describes the ECCN under which the toolset would fall if built per the design. The controls enumerated below are the controls the design specifies; they are not yet runtime-enforced because the integrated runtime does not yet exist. This page is a forward-looking compliance posture, not a statement that an operational EAR-controlled product is shipping.
Trenchwork proposes a dual-use offensive-security toolset (Fulcrum CNO CLI; Bulwark antivirus agent loop). U.S. export classification governs how, to whom, and under what conditions such a toolset can be transferred. This page documents the ECCN under which the proposed design would fall once built, the controls the design specifies, the boundary against ITAR, and the regulatory citations a reviewer can verify.
Classification (if built per the design)
- ECCN
- 4D004 — software specially designed or modified for the generation, command and control, or delivery of intrusion software. 86 Fed. Reg. 58205 (Oct. 21, 2021). Applies to the operational toolset once built.
- Regime
- U.S. Export Administration Regulations (EAR), 15 C.F.R. Parts 730–774, administered by the U.S. Department of Commerce, Bureau of Industry and Security (BIS).
- Munitions list
- Not on the U.S. Munitions List (USML). As designed, Trenchwork is a commercial dual-use item, not a defense article. ITAR / 22 C.F.R. Parts 120–130 does not apply.
- Research carve-out
- Note 1 to ECCN 4E001 — ordinary vulnerability-research activity is not controlled as “technology” under 4E001 when it is performed for the purpose of identifying, reporting, or mitigating a vulnerability.
- Domestic activity
- EAR governs international export, re-export, and in-country transfer. Private domestic design, development, possession, and sale to U.S. government agencies (federal, state, local) are not restricted by EAR.
Scope — what is and isn’t controlled
| Activity | Controlled under EAR? | How the design handles it |
|---|---|---|
| Domestic design / development of the source by U.S. persons in the U.S. | No | Source is privately held; design and partial scaffolding written by a U.S. person on U.S. soil. No operational product yet. |
| Sale or technical transfer to a U.S. federal, state, or local government agency (once built) | No | Federal end-use is the proposed procurement path; the engagement-delivery profile is designed to be gated to authorized USG & defense-prime work. |
| Coordinated vulnerability disclosure to a vendor PSIRT, HackerOne, Bugcrowd, or CERT/CC | No (Note 1 to 4E001) | The disclosure-terminal enum in src/contracts/evrp.schema.json is designed to permit only these channels. |
| Export, re-export, or in-country transfer outside the U.S. (would apply once built) | Yes — license required | No transfers occur today (no operational product to transfer). Future international transfer would require a license; the project does not currently engage in any. |
| Sale to a Country Group D:1 / D:5 destination or a Section 1758 listed end user | Yes — presumption of denial | Not engaged in. |
| Sale to a broker, exploit reseller, or gray-market intermediary | Yes — and policy-prohibited regardless | Broker channels would be structurally invalid in the rulebook schema (see Control 3 below). Once built, the CLI cannot terminate a finding through a broker. |
Controls the design specifies
The EAR posture is not a policy document — in the proposed design, it is enforced by the contracts the agent loop is written against. Each control below cites where in the source it is (or would be) implemented. The contracts themselves are scaffolded; full runtime enforcement requires the integrated runtime, which is the work the proposal funds.
-
1. Allowlist-gated end users src/auth, AWS Lambda
The CLI is designed to authenticate via Firebase ID token verified by AWS API Gateway + Lambda. Use of the offensive-research profile (Fulcrum, Bulwark) would require an allowlisted user record. Unauthenticated or non-allowlisted callers would not be able to reach the offensive tool inventory.
-
2. Append-only audit log Firestore
bulwark_runs,engagementsEach Fulcrum engagement and Bulwark run is specified to write a record to Firestore at the start of the run (intake) and at each phase boundary. Records would be append-only by Firestore security rules — the operator cannot rewrite the log retroactively. The
/auditserver-side dashboard is designed to read from this log. -
3. Disclosure terminal pinned in schema src/contracts/evrp.schema.json
The
DisclosureTerminalenum permits exactly:psirt,hackerone,cert-cc,public-90day-advisory. Forbidden terminals includebroker,private_retention, andinternal_only_stockpile. By design, a finding without an allowed terminal cannot be marked complete — the JSON Schema rejects it at validation time, not at policy-review time. -
4. EAR scope captured at intake src/tools/engagementTools.ts
Engagement-delivery sessions are designed to write a
phase.intakerecord that includes contract id, authorized recipient, scope statement, and anearScopeconfirmation string. The CLI is specified not to advance past intake without the field populated. -
5. Rulebook constraints src/contracts/agent-rules.schema.json
The agent loop is designed to read its operating rules from a versioned schema that pins the EAR ECCN, the allowlist-gating requirement, and the disclosure-terminal whitelist. Changes to the rulebook are source-controlled and visible in git history.
-
6. Authorized targets only Fulcrum & Bulwark surface scoping
The Fulcrum and Bulwark profiles are designed to operate against authorized bug-bounty surfaces (Google Bug Hunters, HackerOne, Bugcrowd) or the operator’s own machines. The Computer Fraud and Abuse Act (18 U.S.C. § 1030) remains a binding constraint independent of EAR.
Why ECCN 4D004 and not USML
The 2021 BIS rule that established ECCN 4D004 was the U.S. implementation of the Wassenaar Arrangement’s 2013 entry on intrusion-software command-and-control software. The rule placed dual-use cybersecurity items under EAR, the Commerce-administered control regime for commercial technology, rather than the State-administered ITAR regime that governs defense articles. This is the correct classification for a commercial agent-orchestration framework: the controlled item is the command-and-control software, not a munition.
The practical effect is that Trenchwork can be designed, developed, possessed, and sold to U.S. government end users without an export license, because none of those activities constitute an export under the EAR. Once built, international transfers would require a license; Trenchwork is not engaged in any such transfers.
What this page does not do
This page is a description of the classification basis the design points to and the controls the design specifies. It is not legal advice, and it is not a statement that an operational EAR-controlled product is shipping today. Operators contemplating an international transfer, a non-U.S. end user, or any activity touching a Section 1758 listed end user should consult counsel and the BIS guidance directly before acting. The authoritative texts are the EAR itself (15 C.F.R. Parts 730–774) and the BIS Bureau of Industry and Security website.
References
- U.S. Department of Commerce, Bureau of Industry and Security. Information Security Controls: Cybersecurity Items. 86 Fed. Reg. 58205, October 21, 2021. federalregister.gov/documents/2021/10/21/2021-22774
- U.S. Export Administration Regulations, 15 C.F.R. Parts 730–774. ecfr.gov — 15 CFR Subchapter C
- Bureau of Industry and Security. bis.doc.gov
- Wassenaar Arrangement — Public Documents, List of Dual-Use Goods and Technologies. wassenaar.org/control-lists
- U.S. International Traffic in Arms Regulations, 22 C.F.R. Parts 120–130 (for boundary reference). pmddtc.state.gov
Contact
Compliance questions or correction notices: Bo Shang · bo@trenchwork.org