• $50 – $5,000 per vulnerability

Program stats

  • Vulnerabilities rewarded 37
  • Validation within 4 days 75% of submissions are accepted or rejected within 4 days

Latest hall of famers

Recently joined this program

Mettle is a forward-looking business account which allows businesses to better manage invoices, expenses and more. Customers are able to on-board themselves to the platform within minutes, all from within the Mettle application.

We currently have an iOS and Android Application ready for testing, as well as 2 additional web applications.

There is a security testing environment specifically designed for researcher activity. Please do not perform any testing against the production platform as we do not want to intentionally upset our platform engineering team. The security testing environment is prod-like in every way bar the actual data.

Researchers who test against the production platform risk their bounty amount being deducted.

Testing is only authorized on the targets listed as In-Scope. Any domain/property of Mettle not listed in the targets section is out of scope. This includes any/all subdomains not listed below. If you believe you've identified a vulnerability on a system outside the scope, please reach out to Mettle staff in Slack.


For the initial prioritization/rating of findings, this program will use the Bugcrowd Vulnerability Rating Taxonomy. However, it is important to note that in some cases a vulnerability priority will be modified due to its likelihood or impact. In any instance where an issue is downgraded, a full, detailed explanation will be provided to the researcher - along with the opportunity to appeal, and make a case for a higher priority.

Scope and rewards

Program rules

This program follows Bugcrowd’s standard disclosure terms.

For any testing issues (such as broken credentials, inaccessible application, or Bugcrowd Ninja email problems), please email We will address your issue as soon as possible.

This program does not offer financial or point-based rewards for P5 — Informational findings. Learn more about Bugcrowd’s VRT.