Mettle

Hello Researchers! Just a reminder that we are still running our bonus rewards for any valid, successful exploitations of the Log4j vulnerabilities on Mettle assets. This bonus period will end on Sunday 19th December 23:59:59.

As a reminder, only *.bbp-mettle.co.uk and the BBP Mettle mobile apps (links in the program scope) are in scope.

To aid you in discovering this vulnerability, we have turned off the WAF in this environment.

Below are the bonus details:

Bonus	Reward
CVE-2021-44228 successfully exploited to steal environment secrets, start a reverse shell or execute code that would affect the confidentiality or integrity of the system	+50% as per the usual triage process and priority rating

Join the Mettle BBP Slack Workspace if you're not already a member; you'll be able to reach someone from the Mettle Security Team there:

https://join.slack.com/t/bbp-mettle/shared_invite/enQtNzg2NTMzNzk2MzkxLWJkNmYxOTIzODNmOTA3YWRlOWQzZjQ4MmYwZWRmYzdhZjcwZmFmOGY1ZDNjZWFjOThmMjdkM2RiMzAzMjFhZGY