Upwork

  • $120 – $5,000 per vulnerability
  • Up to $10,000 maximum reward

Program stats

  • Vulnerabilities rewarded 513
  • Validation within 2 days 75% of submissions are accepted or rejected within 2 days
  • Average payout $816.40 within the last 3 months

Latest hall of famers

Recently joined this program

Upwork

For this program, we're inviting researchers to test our freelancer platform and mobile iOS/Android/Desktop apps. Our goal with this program is to ensure that our customers are using a secure platform that's free of security vulnerabilities.

Please note: Upwork regularly releases new code, updates will be posted in the announcement section highlighting new code. This is a great opportunity for Upwork and the researcher community to work together to find vulnerabilities! Watch for new releases on Upwork's Blog.


BONUS REWARDS

Upwork will be offering a DOUBLE rewards bonus for all valid P1/P2 submissions beginning on June 13th, 2022. This bonus will expire on June 28th, 2022. Until expiration the updated reward ranges are as follows:

Update: Due to a systemic issue the team has found, this bonus will be ending early.

  • P1: $10,000
  • P2: $4,000

Note, bonuses are subject to change. If you have any questions, please reach out to support@bugcrowd.com. More importantly, happy hunting!!


Special Bonuses and Rewards

CTF

Upwork is offering a an extra, one-time $5,000 reward for the ability to find reverse shell, bind shell, or meterpreter shell

  • Researchers need to get reverse shell, bind shell, or meterpreter shell of any Upwork in-scope instance and provide a PoC.
  • Please provide complete reproduction steps for how you were able to capture the flag

Ongoing

Momentum Bonus, the more you submit, the more you earn!

  • There is a 7-day sliding window where you can build momentum on your rewards for the Upwork program. Every accepted bug submitted during this window will earn you a 10% increase on your payout. For example, if you submit 3 bugs in one week the first pays 100%, the second pays 110%, the third pays 120%, etc. this scales to a maximum payout amount of 200% (double reward) the original value.

Upwork is offering an extra, one-time $5,000 reward for the ability to break into any of the specified client or freelancer accounts and steal the funds allocated to it. The account is: bugcrowd-client@upwork.com and bugcrowd-freelancer@upwork.com.

  • Please provide complete reproduction steps for how you were able to capture the flag
  • Bruteforcing credentials to break in is still out of scope as per the regular scoping rules.
  • Use of Social Engineering to take-over the account is still out of scope as per the regular scoping rules.

Scope and rewards

Program rules

This program follows Bugcrowd’s standard disclosure terms.

For any testing issues (such as broken credentials, inaccessible application, or Bugcrowd Ninja email problems), please email support@bugcrowd.com. We will address your issue as soon as possible.

This program does not offer financial or point-based rewards for P5 — Informational findings. Learn more about Bugcrowd’s VRT.