Mettle

We are pleased to announce that effective immediately, we will be offering bonus rewards for valid, successful exploitation of the Log4j vulnerability (CVE-2021-44228) on Mettle assets. This bonus period will end on Sunday 19th December 23:59:59.

As a reminder, only *.bbp-mettle.co.uk and the BBP Mettle mobile apps (links in the program scope) are in scope.

To aid you in discovering this vulnerability, we will be turning off the WAF rule for CVE-2021-44228 on this environment.

Below are the bonus details:

Bonus	Reward
CVE-2021-44228 successfully exploited to steal environment secrets, start a reverse shell or execute code that would affect the confidentiality or integrity of the system	+50% as per the usual triage process and priority rating

Join the Mettle BBP Slack Workspace if you're not already a member; you'll be able to reach someone from the Mettle Security Team there:

https://join.slack.com/t/bbp-mettle/shared_invite/enQtNzg2NTMzNzk2MzkxLWJkNmYxOTIzODNmOTA3YWRlOWQzZjQ4MmYwZWRmYzdhZjcwZmFmOGY1ZDNjZWFjOThmMjdkM2RiMzAzMjFhZGY