• $100 – $5,000 per vulnerability
  • Up to $5,000 maximum reward
  • Managed by Bugcrowd

Program stats

321 vulnerabilities rewarded

Validation within 5 days
75% of submissions are accepted or rejected within 5 days

$416.12 average payout (last 3 months)

Latest hall of famers

Recently joined this program


Please note: This program does not allow disclosure. You may not release information about vulnerabilities found in this program to the public.

For this program, we're inviting researchers test our freelancer platform, and mobile iOS/Android/Desktop apps. Our goal with this program, is to ensure that our customers are using a secure platform that's free of security vulnerabilities. For the purposes of testing, researchers can create their own user credentials.

To participate in the Upwork please configure your scanner to Include "bugcrowd" in the user-agent string. Failure to do so may result in your IP being temporarily blocked from participation on the program.

Please also note: Upwork regularly releases new code. In the event you don't find anything today, there may be something present tomorrow. This is a great opportunity for Upwork and the researcher community to work together to find vulnerabilities! To stay up to date on the latest releases from Upwork --- go here.


For the initial prioritization/rating of findings (with a few exceptions), this program will use the Bugcrowd Vulnerability Rating Taxonomy. However, it is important to note that in some cases a vulnerability priority will be modified due to its likelihood or impact. In any instance where an issue is downgraded, a full, detailed explanation will be provided to the researcher - along with the opportunity to appeal, and make a case for a higher priority.

Please see below for exclusions specific to this program.


Priority iOS, Android Web, Desktop, API
P1 $5,000 $2,000
P2 $2,000 $1,200
P3 $600 $400
P4 $250 $100

Special Web-Based High Impact Reward!

In addition to the regular rewards for this program, Upwork is also offering a one-time $5,000 reward for the ability to break into any of the specified client or freelancer accounts, and steal the funds allocated to it. The account are: bugcrowd-client@upwork.com and bugcrowd-freelancer@upwork.com.


  • Please provide complete reproduction steps for how you were able to capture the flag
  • Bruteforcing credentials to break in is still out of scope as per the regular scoping rules.


In scope

Target name Type
*.upwork.com Other
Upwork - iOS and Android Applications Other
Upwork Dash Messanger Desktop Version (www.upwork.com/downloads) Other
https://www.upwork.com/api API

Out of scope

Target name Type
community.upwork.com Website
support.upwork.com (Any vuln related to a support ticket) Website
Any subdomain/domain/property not listed in the 'in scope' section, is out of scope. Other
Any Third-party Services Website

Any domain/property of Upwork not listed in the targets section is out of scope. This includes any/all subdomains not listed above.

Target information:

  • Please note that the mobile web app is available at: upwork.com/mobile
  • Information on the public messaging API is available at: developer.upwork.com and also attached to the listing.
  • To view a list of what will likely be the best areas to focus on to find valid and unique findings, please go here

Upwork - iOS and Android Applications

API Documentation: https://developers.upwork.com/


Credentials for this can be freely and easily self-provisioned:

-Sign up for Upwork API
-How do I get started as a client?
-Getting Started as a Freelancer

Note: If you'd like either an expedited Client or Freelancer account, please email alexbod@cloud.upwork.com with the subject line: Request for Upwork Researcher Account and they will assist!

When testing please only test against jobs that you have created - do not test against jobs owned by persons other than yourself


  • All CSRF vulnerabilities will likely be evaluated at P4 level
  • Social Engineering
  • Uploading of any vulnerability or client-related content to third-party utilities (e.g. Github, DropBox)
  • Network-layer D/DoS
    • If you suspect an application-layer D/DoS, contact Bugcrowd to review the vulnerability. Do not proof-of-concept application-layer D/DoS attacks without prior consent.
  • All attack payload data must use professional language (ex: “test” rather than “this has been hacked.”)
  • If able to gain access to a system, accounts, users, or user data, stop at the recognition of and report. Do not dive deeper to determine how much more is accessible.

Additionally, the following vulnerabilities are considered too low of an impact, and will be marked as Out of Scope if submitted:


  • Account/e-mail enumeration using brute-force attacks
  • Any low impact issues related to session management (i.e. concurrent sessions, session expiration, password reset/change logout, etc.)
  • Bypassing content restrictions in uploading a file without proving the file was received
  • Clickjacking/UI redressing
  • Incomplete or missing SPF/DMARC/DKIM records
  • Issues related to password/credential strength, length, lock outs, or lack of brute-force/rate limiting protections
  • Lack of SSL or Mixed content
  • Missing Cookie flags
  • Reflected file download attacks (RFD)
  • Self-exploitation (i.e. password reset links or cookie reuse)
  • URL Redirection
  • Use of a known-vulnerable library which leads to a low-impact vulnerability (i.e. jQuery outdated version leads to low impact XSS)
  • Vulnerabilities affecting users of outdated browsers, plugins or platforms
  • Vulnerabilities that allow for the injection of arbitrary text without allowing for hyperlinks, HTML, or JavaScript code to be injected
  • Vulnerabilities that require the user/victim to perform extremely unlikely actions (i.e. Self-XSS)


  • android:debuggable=”true” in Android Manifest
  • android:allowBackup set to true (by default)
  • Information disclosure via Toast messages


  • Information leakage in backgrounding snapshots
  • Information leakage in keystroke caching


  • Copy & Paste disabled for sensitive fields
  • Pasteboard data cached
  • The application asks for more permission than its needs
  • Two-factor authentication bypass that requires physical access to a logged-in device
  • Any issue in the mobile app that can only be exploited on a rooted or jailbroken device
  • Any issue exploited in the mobile app because an operating system vulnerability
  • Local access to user data when operating a rooted mobile device

This list will be updated if we see a particular vuln that is systemic and site wide. Please check this list often. This is for your benefit and to save you the trouble of searching the analytics

Program rules

This program follows Bugcrowd’s standard disclosure terms.

This program does not offer financial or point-based rewards for P5 — Informational findings. Learn more about Bugcrowd’s VRT.