Cybersecurity Penetration

Testing on the Ethereum

Blockchain

This document contains proprietary information. Expressed written consent by Buglab Limited (“Buglab”)
is required for duplication or distribution of any content contained herein.
Table of Contents

4 Abstract

5 The Cybersecurity Market

7 Blockchain Security

8 Methods of Fighting Cyber Crime

9 Bug Bounty Programs

10 The BugLab Solution

10 Core Features of the Buglab Platform

12 Defining Requirements

14 Real-Time Reporting

15 Contest Details

17 Contest Scoring

18 Vulnerability Timestamp

19 Fix Companion

20 Money-Back Guarantee

20 Service Levels

21 Vigilante Protocol

23 Computer Emergency Response Teams

23 Assigning Pentester Status

24 The Buglab Vigilante Protocol Reserve

26 Buglab Transaction Reserve

28 The Buglab Token

31 Management Team

33 Advantages of Using the Blockchain to Reshape Pentesting

33 Legal Disclaimer
THIS DOCUMENT IS NOT A PROSPECTUS OF ANY SORT

THIS WHITEPAPER SETS FORTH A DESCRIPTION OF THE PLANNED BUGLAB PLATFORM (THE “BUGLAB
PLATFORM”) AND USE OF THE BUGLAB TOKEN (THE “BGL TOKEN”). THIS IS BEING PROVIDED FOR
INFORMATION PURPOSES ONLY AND IS NOT A BINDING LEGAL AGREEMENT. BGL TOKEN SALES WILL BE
GOVERNED BY A TOKEN PURCHASE AGREEMENT. IN THE EVENT OF A CONFLICT BETWEEN THE TOKEN
PURCHASE AGREEMENT AND THIS WHITEPAPER, THE TOKEN PURCHASE AGREEMENT GOVERNS.

THIS WHITEPAPER IS NOT AN OFFERING DOCUMENT OR PROSPECTUS, AND IS NOT INTENDED TO

PROVIDE THE BASIS OF ANY INVESTMENT DECISION OR CONTRACT.

Abstract
Today’s computing environment is dynamic and complex. Demand for
cybersecurity professionals exceeds supply as hackers develop ever more
advanced schemes that target countless companies, both large and small.

A 2017 Global Information Security

Workforce Study (GISWS) joint report
from Frost & Sullivan and the
Industry growing
International Information Systems

11%
Security Certifications Consortium, Inc.
(ISC)2 forecasted that the number of
unfilled job offers in cybersecurity will
surpass well over 1.5 million by 2020.
Demand resulting from IoT or other from $138 billion in 2017
smart technology implementations is to $232 billion in 2022.
likely part of this cybersecurity growth.

3
ABSTRACT

Gartner is predicting that information security will require $93 billion in

spending globally during 2018. Any type of company and just about any kind
of software could be at risk. When authentication isn’t tamper proof, or when
email or other private data are exposed, a company, whether large or small,
could be subject to legal action.

Buglab will offer a unique, competitive, The Buglab platform detects and
incentivized, and easy-to-use platform remedies vulnerabilities on various
to address this widespread and growing business applications, websites, mobile
business need. Buglab will assist applications, Internet of Things (IoT)
companies, whether in IT, financial devices , and smart contracts by
services, or in retail, to identify and transforming penetration test services
mitigate cybersecurity gaps they may into challenges, referred to as contests,
not (but should) know about. for a community of independent
information security consultants with
certified qualifications.

The solution makes cybersecurity services

accessible to even the very smallest
enterprises that typically lack both the
resource and budget to tackle cybersecurity
vulnerabilities using traditional means.

4
The Cybersecurity Market
Impacts on Return on Investment (ROI) are difficult to quantify, so it takes
time for companies to recognize the need for cybersecurity services.

For all-too-many enterprises, as well as A significant portion of the information

individuals with any digital assets on stored across all of these ecosystems
their websites (content included), it will need protection. The cybersecurity
often takes a breach into their system market is likely to grow non-linearly to
before they take action to shore up address needs in this space.
security.
Meantime, the victims of cyber attacks
Corporations are often aware that their rarely advertise that they have been
levels of computer security fall short. targets, unless they must, and data
However finding and placing qualified vulnerabilities are rarely first priority as
cybersecurity professionals is time product gets rushed to market, so it is
intensive and costly. Regulation difficult, if not impossible, to get
requirements to protect personal data exhaustive statistics about cyberattacks
add another layer of complexity for details, including their frequency or
cybersecurity solutions. their impact on ROI. However, one
aspect is absolutely certain: the trend is
According to a ETH Zurich conference
decidedly on the rise, with some
workshop, between now and 2025,
widely-known geopolitical impacts.
there will be more than 50 billion online
devices.

50 billion
ONLINE DEVICES BY 2025
5
THE CYBERSECURITY MARKET

A standout case is that of the 2016 U.S. More recently, in May, 2017, emails and
presidential election campaign, when a documents were taken from the
massive email leak cast a shadow over mailboxes of several senior officials who
the Democratic party in July 2016. Sen. were a part of the then-future French
Hillary Clinton’s campaign was the President Emmanuel Macron’s “En
victim of a large-scale cyber attack that Marche” political movement. Their
not only put the Democratic party’s contents were exposed across social
electoral strategy in peril, but also media networks at the campaign’s final
shaped the future of American politics. hour.
In that July Reuters reported that a
There have also been countless,
“computer network used by Democratic
wide-scale breaches of medical, financial,
presidential nominee Hillary Clinton’s
and email data affecting small businesses
campaign was hacked as part of a broad
and individual users. Most readers have
cyber attack on Democratic political
seen their email or have known of a
organizations.” The article went onto
personal website that’s gotten hacked.
say that the attack “follows two other
The New York Times as well as other
hacks on the Democratic National
media sources reported on Yahoo’s
Committee, or DNC, and the party’s
disclosure that a massive breach affected
fundraising committee for candidates
500 million accounts during 2014. An
for the U.S. House of Representatives.”
earlier incident in 2013 compromised
some 3 billion users, that is all Yahoo
accounts, The Guardian and New York
Times, among other outlets reported. The
figure given out by Yahoo to the press was
… a massive breach originally 1 billion but was revised upward
affected 500 million several months later after further
investigation. Clearly, new methods to get
accounts during 2014.
ahead of the hackers are needed.

6
Blockchain Security
The method offered by Buglab deploys expertise and smart contracts across
the blockchain.

A blockchain is a thread of digital Participants who believed they were

records across which different types of sending Ether to CoinDash, were in fact
data are stored. Together, these sending them directly to the hacker.
distributed (or decentralized) records
make up a database similar to the pages A more recent case was the result of

of a large ledger book. These virtual compromised libraries at Parity Wallet.

About $300 million in Ether was locked
ledgers are hosted across many servers,
accidentally right after a fix was
which helps verify and authenticate any
implemented on a different
given transaction. It is an intense
numerical process, across many vulnerability. In the first case, a hacker
exploited a vulnerability and walked
machines hosted by countless
participants, or miners. See also with some $32 million. But the drama
didn’t end there. As Parity explained it,
Advantages of Using the Blockchain to
“It is our current understanding that this
Reshape Pentesting.
vulnerability was triggered accidentally
Yet even on the blockchain, by design a on 6th Nov 2017 ... a user deleted the
less vulnerable environment than library-turned-into-wallet, wiping out
centralized systems, the appeal of the library code which in turn rendered
monetary gain in the blockchain all multi-sig contracts unusable and
environment is enticing attackers. funds frozen since their logic (any
state-modifying function) was inside the
The equivalent of nearly $8 million was
library”. So, as of early November 2017,
stolen from CoinDash in July 2017, all
those digital assets remained frozen.
within minutes of the ICO launch, it was
reported by CoinDesk, an industry There have certainly been other claims
publication. CoinDash, which offered an of stolen assets. It’s an emerging
exchange platform for decentralized problem in a rapidly-changing industry.
trading, saw the digital assets syphoned As blockchain is an emerging
as a hacker simply took over CoinDash’s technology, few of the cases are widely
official website and replaced the understood.
corporate Ethereum address with his
own Ether wallet address.
7
Methods of Fighting Cybercrime
Traditional options for fighting cybercrime are not feasible for small
businesses and organizations. The cost of two common strategies outlined
here rapidly becomes out of reach for all but large enterprises:

Penetration tests performed by a cybersecurity

consulting firm:

Requires that clients pay for the service in terms of total billable hours,
regardless of the test results. The majority of penetration tests performed
by consulting firms are done by one, maybe two pentesters. This means
that the client is only able to take advantage of the methodology and
skillset of two consultants.

Bug bounty challenges:

Information security researchers are paid on a per-vulnerability-uncovered

basis. Companies often end up getting charged to fix issues not entirely
consequential to their revenue or customers. This is described in more
detail in the next section.

Classic cybersecurity consulting companies themselves often only send

reports at the end of their research, often in a text-type format that is
difficult to get much out of (Word, Excel, PDFs, and the like).

8
METHODS OF FIGHTING CYBERCRIME

Bug Bounty Programs

When talking about crowdsourcing in cybersecurity, one immediately thinks

of bug bounty programs. These programs aren’t adapted to small and
medium businesses.

The first reason for this is cost. Secondly, the results obtained are not
Companies that rely on bug bounty always relevant to the client. When
methods are often required to pay for using these bounty programs,
each vulnerability that’s reported. Since researchers are often able to rapidly
many of these companies lack internal uncover a number of significant flaws,
infrastructure and/or software without the requirement to do in-depth
development teams, they end up paying research. They will easily achieve a
to identify problems for which they lack reward level based upon a total count
resources to fix. Obviously, this is an of issues discovered without necessarily
inefficient way to correct vulnerabilities. adding significant value for the client.

After receiving a costly bill and an

incomplete result, opportunities for
continuity and repeat business are lost.

9
The Buglab Solution
The Buglab platform links organizations that have information security
needs, which is just about all them, with a community of certified
cybersecurity penetration testers in an incentivized environment, where
testers are rewarded when they uncover system vulnerabilities, ranked by
severity and potential impacts. It’s done as a race against time. Importantly,
finding unique vulnerabilities is ranked above simply producing a list of
issues.

Core Features of the Buglab Platform

The Buglab platform enables customers to either use the mass of pentesters or choose
a validated team from a known company. Teams must include no fewer than five
pentesters.

A variety of customizations are available, specific to your organizational needs. Some of

the features envisioned are highlighted next.

Public Contest: Private Contest:

Once companies have provided basic Clients also have the option of
information and launched the choosing a select number of
contest, the community receives a pentesters from the community or
public invitation to participate in the choose a validated team from a
competition. known cybersecurity firm to
complete the challenge.

10
THE BUGLAB SOLUTION

Selection Filters: Triage System:

Clients have the option during a Vulnerabilities reported go through

private challenge of selecting our sorting system to identify
pentesters using different filters. duplicates before landing on the
These include country, score, customer’s dashboard. The
skillset, etc. customer is guaranteed to only get
notified about relevant submissions.

Reports:
Self-Managed:
The company receives reporting on
The company can choose from three
their security contests. This feature
types of management (basic, pro,
summarizes each contest’s
and enterprise). In the case of the
performance and allows them to
latter, the client is responsible for
graphically compare the security
sorting, classifying and grading
status and progress of their assets.
reports.

Mediation: Leaderboard:
When a customer opts to manage
A dashboard offers ranking of
their challenge themselves, a
pentesters from the community
pentester from the community can
according to experience and results
ask for mediation from Buglab. This
on the platform. This provides
mediation may be required in the
greater visibility for the best
event that a pentester deems the
pentesters and makes it easier to
score or validation to be inaccurate.
select participants for a private
A Buglab team can obtain details
challenge.
regarding the cause of the
disagreement and evaluate it in an
impartial fashion.

11
THE BUGLAB SOLUTION

Chat: Fix Companion:

Every vulnerability report is a chance At the Enterprise level, Buglab will

to engage in conversation with verify that the fix has been
pentesters and to obtain their help implemented.
fixing it.

Defining Requirements

The list of potential use cases is quite long. Scenarios might include uncovering
malicious SQL injection, which routes database content to a hacker. A system may have
authentication bypass vulnerabilities. Sensitive company data may be unencrypted. File
uploads may not be protected. User sessions may be subject to takeover by malicious
entities. Perhaps the vulnerability is relatively straight-forward: for example, a company
may have insufficient login security. The Buglab strategy addresses these and other
vulnerabilities in a cost-effective manner to tackle cybercrime and its impact on the
bottom line.

The platform’s design offers multiple solutions against the threats of cybercrime. Using
either the Professional or Enterprise plans gives firms access to private teams. For
example, a penetration test contest might be closed to all but a preselected team,
depending upon the sensitivity of the data. Alternatively, a business may choose from
other packages to use an open contest model to address system vulnerabilities.

In either use case, our design provides a reward for identifying IT vulnerabilities, and
also forms the infrastructure to solve these issues. Because it takes the form of a
contest, whereby the client has constant access to penetration test results, it’s
real-time and cost effective.

12
THE BUGLAB SOLUTION

With its scoring system, Buglab

incentivizes each researcher to be the For a cybersecurity firm that
first to uncover the maximum number may require an internal team,
of significant vulnerabilities, and to the workflow would be similar
obtain the highest score, based upon a to the following:
grade attributed to each. This type of
scoring system encourages the
community to act in a manner that is 1. Pentester uploads proof of
experience, employment or
effective, thorough, and efficient.
otherwise.
Recommendations made by researchers
to mitigate vulnerabilities are also 2. Clicks Create Team in the
communicated to the client. Either the application. At least five members
pentester or Buglab itself can work are required to proceed.
directly with the customer on
3. Invites users who likewise need to
remediation.
upload ID, certifications, and
proof of experience.
Several options for privacy are available
depending upon the sensitivity of data. 4. The Buglab team reviews the
A company may choose a self-managed submittal.
contest if they require restricted access
5. If the project is accepted, a
to information. Even in the rare event of
company can then invite the
mediation, Buglab will not be able to
entire approved team.
view protected details on vulnerabilities
The contest is activated through
associated with a case unless the Buglab platform.
specifically invited.

By offering contests, Buglab caps user costs by charging a fixed price that features a
money-back guarantee in the event no vulnerabilities are detected. Within the
challenge or contest framework, community pentesters act independently (though on
the same project) to use their diverse technical skills to find and expose security flaws.
They are thus able to discover a large number of vulnerabilities in a short amount of
time. It’s an efficient model for uncovering cyber threats.

13
THE BUGLAB SOLUTION

Real-Time Reporting

Companies staff follow the contest as they unfold in real time to see
reported vulnerabilities and mitigation recommendations. They’ll have the
means of communicating with the pentesters for follow up. The platform
also can integrate with other reporting tools, at your company’s discretion.

The contest dashboard provides quick access to the progress made by researchers, the
type of vulnerabilities uncovered, and top contributors.

The dashboard also enables real-time interactions in a intuitive way to help clients
address the vulnerabilities with the help of the researchers or the Buglab team.

14
The Contest

Companies sign up on the platform and Clients are able to customize the
provide information about themselves confidentiality1 of the competition, the
and their products and services. Then, type of management they want, and the
thanks to a simple and user-friendly level of compensation, which depends
interface, they subscribe to a upon the selected plan and an optional
competition contract, whose rules they bonus. As necessary, a Buglab team will
define. interact with customers to help them
set up program parameters.

1
As the contests can be self managed, only the client and pentester who found the bug will have access to vulnerability details.
Pentesters are bound by the Terms and Conditions required during signup to ensure ethical use of the data.
THE CONTEST

Based on the type of confidentiality2 Selection can be made according to

that has been selected, they can then several criteria, including a pentester’s
choose from a list of pentesters in the country, or their skill areas. The start
community. date is always determined by you.

The Buglab platform also assigns a Using the methods that Buglab offers,
proper match based upon the Buglab penetration testing follows a unique
recommendation engine. trajectory, as shown in the following
figure.

The scoring system encourages (that is, incentivizes) each pentester to be the first to
uncover a maximum amount of vulnerabilities, and to obtain the highest score. Each
vulnerability is assigned a score. An undiscovered issue gets a full score. Scoring for
duplicate entries factors in timestamp (to encourage early reporting of significant
vulnerabilities) and the number of pentesters. See also Vulnerability Timestamp.

2
Every pentester operates under the assumption that no vulnerability nor any details associated with a vulnerability
issue will be shared with any person or company aside from the customer/client, unless explicitly allowed by the client.
Sharing of any proprietary information is subject to client policy. Moreover, jurisdictional regulations with regards to
access to private data vary.
16
THE CONTEST

Contest Scoring

Upon the contest launch our community When the contest concludes, the role of
of pentesters that have registered with Buglab is limited to vulnerability scoring
Buglab is notified. Our international and triage using the Common
cybersecurity pentesters then analyze, Vulnerability Scoring System 3 (CVSS3)
test, and report back on the standard described in Vulnerability
vulnerabilities of a solution directly on Timestamp. Pentesters are
the Buglab platform. compensated according to their rank in
the contest.

An example of the leaderboard is provided in the following screen.

In the event of a dispute, a Buglab internal team may act as a mediator to help clarify
unresolved issues. This could occur, for example, if scores are in dispute or the validity
of a vulnerability is in question.

17
THE CONTEST

Vulnerability Timestamp

Penetration test contests depend on the Vulnerability Timestamp (VTS) that

corresponds to the exact moment a vulnerability was reported.

It was necessary to set up a ranking For such cases, researchers obtain

system in order to be able to reward CVSS3 scores based on the speed with
the best researchers according to both which they were able to uncover the
their overall score and timing. A vulnerability. The first to have done so
pentester’s overall score for a contest will receive full marks, and those that
is equal to the sum of all of the scores follow will see their score diminish
they’ve received for uncovering a according to their rank in time and the
vulnerability. The score for a number of pentesters who have
vulnerability is based on objective and uncovered that same vulnerability.
measurable criteria, thanks to CVSS3,
described in the previous section.

Several pentesters working

● No timestamp can be fraudulently
independently from one another can
incorporated
discover the same vulnerability and
report it on Buglab’s platform at ● No timestamp can be modified
different moments in time, which after publication
results in duplicate reports, as shown
● All are available to be read (by all)
in the following screen.

In the event of duplication, Buglab can provide the means of verification of a score
assigned to a pentester, fully securely, without ever revealing any sensitive information
whatsoever

18
THE CONTEST

Fix Companion

At the Enterprise level, Buglab will Through the entire duration of the
verify that the fix has been challenge companies can chat with
implemented. Buglab will attempt to pentesters and access reports, they will
verify (exploit) the vulnerability again. be able to implement
When confirmed as fixed, a Buglab team recommendations to remedy the
of analysts will update the status vulnerabilities in real time. This is
accordingly in the platform. A “fix” can especially useful if the vulnerabilities
be declined by Buglab to give the and the associated fixes are time
company a chance to address the sensitive. Companies need not wait until
vulnerability again. The company will be the end of the contest to implement a
allotted up to five attempts to address fix.
the vulnerability issue.

19
THE CONTEST

Money-Back Guarantee
At the end of the contest, if it turns out that our customer’s systems are free of
vulnerabilities, Buglab will automatically refund, using our smart contract, 90 percent of
the cost of the contest. The remaining ten percent are retained for the Vigilante
Protocol Reserve (VPR), as explained below in the section titled Vigilante Protocol.

Service Levels

For a fixed price, Buglab will organize penetration tests done by experts pre-approved
by our team. Highlights of the features with the three service levels are provided in the
following table.

FEATURES / PLANS BASIC PROFESSIONAL ENTERPRISE

Team management
Issue tracker integration
Reports analytics
Chat with pentesters
Public contests

Public & private contest

Invite pentesters
Search pentesters by expertise
Dedicated account manager
Bug reproduction

Bug triage & validation

Dublicate detection
Fix companion
Invite Security Teams

20
Vigilante Protocol

In addition to rolling out contests for We invite companies to reward the

enterprises of varying scales, Buglab is whitehats in the form of optional tips or
introducing a globally-integrated gratuity when they discover flaws. It’s a
hacking prevention program known as way for companies to obtain
the Buglab Vigilante Protocol. It’s a recommendations for their solutions
system that allows whitehat researchers from watchful guardians at little cost to
to report on system vulnerabilities of a them.
company that isn’t one of our platform’s
customers.
VIGILANTE PROTOCOL

This protocol enables whitehats from the community as well as anonymous whitehat
users to report vulnerabilities in a secure and ethical way3 to companies that are not
Buglab customers4.

More information is provided in the next section.

A company can chose to give a whitehat an optional reward and/or order a contest. If a
company orders a contest, the whitehat will receive two percent of the service cost.
Buglab will recommend that the company invite this whitehat to participate, even if
he/she doesn’t have pentester status.

3
An ethical hacker’s role is similar to that of a penetration tester, but it involves broader issues. Aside from testing
duties, ethical hackers are often tasked with other responsibilities such as finding countermeasures to beef up the
system’s defenses.
4
Note that Buglab will report a vulnerability to the applicable CSIRT without attempting to exploit any vulnerability
discovered by the whitehat researcher.

22
VIGILANTE PROTOCOL

Computer Emergency Response Teams

Our Vigilante Protocol Smart Contract In addition to notifying the company in

enables communication of sensitive question of a vulnerability, CSIRT and
information in a confidential and secure Computer Emergency Response Teams
manner through the applicable certified (CERT) will themselves have to triage
national authorities, namely computer and score it. In return, once the
security incident response teams company marks a vulnerability as
(CSIRT), which are administered by many resolved, the response teams will be
countries across the globe. rewarded tokens that come out of the
Vigilante Protocol Reserve, as
partnerships are forged with Buglab.

Assigning Pentester Status

For a whitehat to reach pentester status Another way to achieve pentester

and to be able to participate in the status is by participating in the Vigilante
various challenges, they must, when Protocol in order to prove one’s abilities
signing up for the platform, furnish at and willingness to participate in our
least one of the certifications that are preventative security strategy. Once
required by Buglab. Their account is they’ve collected a total of 20 points, in
only approved once those requirements accordance with the CVSS3 grading
have been validated. The two system, they will be able receive the
mandatory requirements Buglab status and take part in the challenges.
employs for becoming pentester is ID
plus certification. Country of residence
is optional.

23
VIGILANTE PROTOCOL

The Buglab Vigilante Protocol Reserve

The VPR has several functions. Its Finally, it allows us to pay fees that are
purpose is in part to reward whitehat inherent to the various transactions
researchers who contribute to the performed on the Ethereum blockchain,
Vigilante Protocol by drawing up and more specifically regarding the
reports about vulnerabilities (once they timestamping of vulnerabilities. The
have been approved). It also allows VPR is initially funded with 20 percent
Buglab to compensate CSIRTs and of the token allocation from the
CERTs, who play an intermediary role. crowdsale. Please refer to Buglab Token
Distribution Event for further details.

The Buglab VPR is funded in a continuous manner by

systematically acquiring ten percent of the tokens from the
following three different sources.

Ten percent of the contest cost:

When the contest begins, ten percent of the cost to launch the contest will be
automatically transferred into the VPR via the smart contract. This will be
automatically taken from the customer's payment. The customer has no control
no influence over this process.

Ten percent of any custom pentester reward:

When a verified pentester wins a customer run contest, the pentester will be
rewarded automatically through the smart contract.

24
VIGILANTE PROTOCOL

This is standard for all contests. However, at the end of the contest, the contest
owner also has the option to make additional payouts to pentesters who may not
have won, though rank near the top, and/or have identified significant
vulnerabilities. It may be the case that other submissions provide more thorough
and useful test vectors. The contest owner can choose to gift the close
competitors a discretionary amount of tokens. The VPR will automatically take
ten percent of these tokens.

Ten percent of any custom whitehat reward:

When a whitehat researcher discovers a vulnerability, if the product owner is not

a Buglab customer, the owner is encouraged to make a payment to the
researcher and/or begin a vulnerability contest with Buglab. Gratuity payments
to whitehat researchers will automatically include ten percent for transfer to the
VPR.

The VPR is summarized by the following simple formula.

Where VPRTDE is the (Token Distribution Event (TDE) allocation to the VPR, Ccontest is a customer’s
cost for a contest, Rcustom is any custom reward from a contest, Rwhitehat is any optional reward given
to a whitehat researcher by the concerned company, N is the total number of contests run so far,
and i is the contest number for the individual contest.

The equation above does not take into

consideration transaction fees and gas costs Note: The ten percent taken from
spent making disbursements from the VPR, each of the three sources above is
as these would be paid from the Buglab automatic and non-refundable. It will
Transaction Reserve (BTR). This is described always be transferred to the VPR in
in the next section. order to keep it liquid.

25
VIGILANTE PROTOCOL

Buglab Transaction Reserve

Financial transactions made on the This is a standard of the Ethereum
blockchain by Buglab, in the regular blockchain. In order to pay these fees,
course of operation, will require Buglab will create a specific reserve,
payment of transaction fees to miners described as the BTR.
in order to get these transactions
included in the block.

After an initial allocation from the TDE, which is one percent, the reserve will
be funded with smart contracts by reserving:

One percent of the customer’s cost of each contest

One percent of all rewards provided during the contest

One percent of all rewards from the VPR

The Buglab Transaction Reserve will be In a future release of the Ethereum

a multi-signature wallet contract that blockchain, it will be possible to use
will hold BGL Tokens. When needed, ERC20 tokens directly for paying
Buglab will convert a portion of these transaction fees. When this becomes
tokens into Ether that can be used to possible, it will no longer be necessary
pay for the necessary transaction fees. to convert these tokens to Ether
This wallet will require at least three of
five signatures to transfer tokens out
when making this conversion to Ether.

26
VIGILANTE PROTOCOL

At any given point in time, the BTR value is given by the following equation:

Where BTRTDE is the TDE allocation to the BTR, Ccontest is a customer’s cost for a contest,
Rcontest is a reward from a contest, RVPR is a reward from the VPR, Fpaid is the fees paid for
the transactions on a contest, N is the total number of contests run so far, and i is the
contest number for the individual contest.

The calculation above considers that

transaction fees are paid per contest, Note: The one percent taken from
but in practice, fees are likely to be each of the three sources above is
accumulated and reimbursed in a lump automatic and non-refundable. It will
sum (monthly or quarterly) back to the always be transferred to the BTR in
order to provide a supply of funds for
original Buglab accounts that incurred
paying transaction fees on the
the fees in the first place.
blockchain.

27
The Buglab Token

● To reward contest winners—allowable up

The Buglab token (BGL) is being
to the top three in rankings, or as
introduced to incentivize customized by the company.

penetration testing in the ● To cover the cost of a contest, including

transaction costs.
blockchain environment.
● To enable and tokenize “tipping”
In the context of the Buglab functionality for white hats.

experience, token exchange ● To fund both the VPR and BTR.

occurs in the following scenarios. ● To reward CERTs and CSIRTs for triaging
of vulnerabilities and help build new
partnerships.
THE BUGLAB TOKEN

Tokens can be transferred between two The BGL Token is based on the ERC20
parties over the Internet according to standard for blockchain tokens. As
the rules set within the contract that illustrated in the following figure, the
holds the token. During the TDE, tokens token will be required for all
are pre-sold at a discount to users who transactions made within the
see value in the platform and anticipate ecosystem, including ordering a contest.
they will use the tokens to access the
platform when it is ready and generally
available for public use.

Contest Vigilante Protocol

Activate Contests Sustain Operation

Clients set up contest to fit The token taken from each

their pentesting needs and contest will flow back to
allocate tokens as rewards support CSIRT and CERT
operations globally

Secure Compensation Reward White-Hat

Pentesters are ranked based Companies are invited to

on cumulative scores and reward BGLs to white-hats as
compensated in way that compensation via smart
secures private information contract

29
THE BUGLAB TOKEN

Most highly skilled penetration testers and whitehats don’t want to disclose their
financial information in order to receive payments, so by creating a token we are able to
attract those people. We also believe that this is the best solution for rewarding
whitehats who participate in the vigilante process as guests.

Token Distribution Event (“TDE”)

Buglab will be the creator and issuer of BGL and will deploy a smart contract
system to receive contributions and to create and issue BGL to contributors
during a TDE.

Full details of Buglab’s TGE are set out in Buglab’s TDE document (a copy of which can
be found at the “TDE Document”.

This whitepaper should be read in conjunction with the

TDE Document.

30
Management Team
We are united by our mission to help companies protect their digital
solutions.

Reda Cherqaoui
Founder, CEO

Having started at the young age of 16, Reda is a

veteran in the field of cybersecurity. Companies
that he has helped ranges from banks to
electronics manufacturers.

Youness Aamiri
Blockchain Developer

In addition to speaking Arabic, French and English,

Youness is also fluent in the script language of
HTML, CSS and PHP. Nowadays, he is focused on
building a blockchain ecosystem to reshape
pentesting.

Amine Bioudi
Full Stack Developer

With years of UI design experience, Amine is

passionate about building a platform to enable the
best possible user-product interaction.

31
MANAGEMENT TEAM

Azdine Bouhou
Software Architect

Azdine is a seasoned software designer with

experience in the field of insurance, legal and
notary. Fascinated by the potential of blockchain
technologies, he is now helping buglab build its
own platform.

Dalal Cherqaoui
Marketing and Communications Manager

Dalal is a marketing veteran with over 11 years in

global marketing groups such as TBWA and Ogilvy.
She is a creative storyteller that finds new ways to
engage with key stakeholders.

Herve Schauer
Advisor

With over 28 years of experience, Herve is

considered a pioneer for France’s IT security
industry. He currently heads his own firm, HSC,
which was acquired by Deloitte France in 2014.

32
Advantages of Using the
Blockchain to Reshape Pentesting
Characteristics of the ecosystem are highlighted in this section.

Disintermediation:
For a transaction to go into effect, it has to be approved by all the miners, which
verify the transaction’s validity. Only then can a transaction be incorporated into
network nodes on the blockchain. Adding new blocks requires a consensus
between the network’s players. This process renders control by a third party
obsolete.

Security:
The code for each new block is built on that of the block that precedes it in the
blockchain, in such a way that modifying a single block would involve changing all
of the blocks in the chain, which is impossible. Within a blockchain, the blocks as a
whole are replicated across nodes on the network, and don’t reside on an
individual single server. This decentralized architecture acts as a structural
defense against risks of data theft. The data on these blocks is protected by a
number of innovative cryptographic procedures, to prevent modification after
the fact.

Autonomy:
Within a blockchain, servers and supporting architecture are dispersed across the
network. The blockchain is ideally independent of third party services. Miners
allocate a portion of their machine’s powerful calculating power to compute
algorithms required to validate transactions. This work is rewarded. In the Buglab
contest, the first miner to validate a block wins tokens. This opportunity for
financial gain encourages powerful competition. For uncovering cybersecurity
threats, this method provides value to the client.

33
ADVANTAGES OF USING THE BLOCKCHAIN TO RESHAPE PENTESTING

Smart Contract:
A smart contract is an “If this, then that” logic. It verifies that the goal has been
met and then enables a digital transfer. The terms of the contract are not
changeable after the fact, although the parties involved still retain access. The
competitive nature of contests make them a crucial part of accelerating
exchanges. In this environment, pentesters will discover and communicate
vulnerabilities quickly.

Legal Disclaimer
As of the date of publication of this whitepaper, No promises of future performance or value are or
BGL Tokens have no known potential uses outside will be made with respect to BGL Tokens, including
of the Buglab platform ecosystem. This whitepaper no promise of inherent value, no promise of
does not constitute advice nor a recommendation continuing payments, and no guarantee that BGL
by Buglab, its officers, directors, managers, Tokens will hold any particular value.
employees, agents, advisors or consultants, or any
other person to any recipient of this document on Unless prospective participants fully understand

the merits of the participation in the TDE sale. and accept the nature of Buglab and the potential

Participation in the TDE carries substantial risks and risks inherent in BGL Tokens, they should not

may involve special risks that could lead to a loss of participate in the TDE. BGL Tokens are not being

all or a substantial portion of such investment. structured or sold as securities. BGL Tokens are sold
as a functional good and all proceeds received by
Do not participate in the TDE unless you are Buglab may be spent freely by Buglab, absent any
prepared to lose the entire amount you allocated to conditions set out in this whitepaper. This
purchasing BGL Tokens. BGL Tokens should not be whitepaper is not a prospectus or disclosure
acquired for speculative or investment purposes document and is not an offer to sell, nor a
with the expectation of making a profit or solicitation of any offer to buy any investment or
immediate resale. financial instrument in any jurisdiction and should
not be treated or relied upon as one.

34
LEGAL DISCLAIMER

This whitepaper is for information only. Written Buglab believes that this industry data is accurate
authorization is required for distribution of any or and that its estimates and assumptions are
all parts contained herein. reasonable; however, there are no assurances as to
the accuracy or completeness of this data. Third
All information here that is forward looking is party sources generally state the information
speculative in nature and may change in response contained therein has been obtained from sources
to numerous outside forces, including technological believed to be reliable; however, there are no
innovations, regulatory factors, and/or currency assurances as to the accuracy or completeness of
fluctuations, including but not limited to the included information. Although the data are
market value of cryptocurrencies. believed to be reliable, Buglab has not
independently verified any of the data from third
This whitepaper is for information purposes only
party sources referred to in this whitepaper or
and is subject to change. Buglab cannot guarantee
ascertained the underlying assumptions relied upon
the accuracy of the statements made or conclusions
by such sources.
reached in this document.

Please note that Buglab is in the process of

Buglab does not make and expressly disclaims all
undertaking a legal and regulatory analysis of the
representations and warranties (whether express
functionality of its BGL Tokens. Following the
or implied by statute or otherwise) whatsoever,
conclusion of this analysis, Buglab may decide to
including but not limited to:
amend the intended functionality of its BGL Tokens
in order to ensure compliance with any legal or
● any representations or warranties relating
regulatory requirements to which we are subject. In
to merchantability, fitness for a particular
the event that Buglab decides to amend the
purpose, suitability, wage, title or
intended functionality of its BGL Tokens, Buglab
non-infringement;
will update the relevant contents of this

● that the contents of this document are whitepaper and upload the latest version of this to

accurate and free from any errors; and its website.

● that such contents do not infringe upon Any BGL Tokens could be impacted by regulatory

any third party rights. Buglab shall have no action, including potential restrictions on the

liability for damages of any kind arising out ownership, use, or possession of such tokens.

of the use, reference to or reliance on the Regulators or other circumstances may demand

contents of this document, even if advised that the mechanics of the BGL Tokens be altered,

of the possibility of such damages. all or in part. Buglab may revise mechanics to
comply with regulatory requirements or other
governmental or business obligations.
This whitepaper includes references to third party
Nevertheless, Buglab believes they have taken all
data and industry publications.
commercially reasonable steps to ensure that its
planned mechanics are proper and in compliance
with currently considered regulations.

35
LEGAL DISCLAIMER

Caution Regarding Forward-looking Statements

This whitepaper contains forward-looking Although the forward-looking statements

statements or information (collectively contained in this whitepaper are based upon what
“forward-looking statements”) that relate to Buglab believes are reasonable assumptions, these
Buglab’s current expectations and views of future risks, uncertainties, assumptions, and other factors
events. In some cases, these forward-looking could cause Buglab’s actual results, performance,
statements can be identified by words or phrases achievements, and experience to differ materially
such as “may”, “will”, “expect”, “anticipate”, “aim”, from its expectations expressed, implied, or
“estimate”, “intend”, “plan”, “seek”, “believe”, perceived in forward-looking statements. Given
“potential”, “continue”, “is/are likely to” or the such risks, prospective participants in a TDE should
negative of these terms, or other similar not place undue reliance on these forward-looking
expressions intended to identify forward-looking statements. Risks and uncertainties include, but are
statements. Buglab has based these not limited to those identified in the Token Sale
forward-looking statements on its current Terms and Conditions. These are not a definitive list
expectations and projections about future events of all factors associated with a making a
and financial trends that it believes may affect its contribution to Buglab in connection with its
financial condition, results of operations, business operations.
strategy, financial needs, or the results of the TDE
or the value or price stability of the BGL Tokens. Buglab undertakes no obligation to update any
forward-looking statement to reflect events or
In addition to statements relating to the matters circumstances after the date of this whitepaper.
set out here, this whitepaper contains
forward-looking statements related to Buglab’s The Company’s business is subject to various laws

proposed operating model. The model speaks to and regulations in the countries where it operates

its objectives only, and is not a forecast, projection or intends to operate. There is a risk that certain

or prediction of future results of operations. activities of the Company may be deemed in

violation of any such law or regulation. Penalties for
Forward-looking statements are based on certain any such potential violation would be unknown.
assumptions and analysis made by Buglab in light of Additionally, changes in applicable laws or
its experience and perception of historical trends, regulations or evolving interpretations of existing
current conditions and expected future law could, in certain circumstances, result in
developments and other factors it believes are increased compliance costs or capital expenditures,
appropriate, and are subject to risks and which could affect Buglab’s profitability, or impede
uncertainties. Buglab’s ability to carry on the business model and
the BGL Token model proposed in this whitepaper.

36