Upwork

  • $120 – $5,000 per vulnerability
  • Up to $10,000 maximum reward

Program stats

  • Vulnerabilities rewarded 586
  • Validation within 30 days 75% of submissions are accepted or rejected within 30 days
  • Average payout $1,804 within the last 3 months

Latest hall of famers

Recently joined this program

2077 total

Upwork

For this program, we're inviting researchers to test our freelancer platform and mobile iOS/Android/Desktop apps. Our goal with this program is to ensure that our customers are using a secure platform that's free of security vulnerabilities.

Please note: Upwork regularly releases new code, updates will be posted in the announcement section highlighting new code. This is a great opportunity for Upwork and the researcher community to work together to find vulnerabilities! Watch for new releases on Upwork's Blog.


Special Bonuses and Rewards

CTF

Upwork is offering a an extra, one-time $5,000 reward for the ability to find reverse shell, bind shell, or meterpreter shell

  • Researchers need to get reverse shell, bind shell, or meterpreter shell of any Upwork in-scope instance and provide a PoC.
  • Please provide complete reproduction steps for how you were able to capture the flag

Ongoing

Momentum Bonus, the more you submit, the more you earn!

  • There is a 7-day sliding window where you can build momentum on your rewards for the Upwork program, going forward, submissions made within the 7-day sliding window will be sorted by the severity assigned and the momentum bonus will be applied from highest to lowest severity, for example if you submit 3 bugs in this sequence [P3, P2, P1] within a 7 day sliding window, the submissions will be sorted by severity [P1, P2, P3] and the first (Bug with P1 Severity) pays 100%, the second (Bug with P2 Severity) pays 110%, the third (Bug with P3 Severity) pays 120%, etc. This scales to a maximum payout amount of 200% (double reward) the original value.

Upwork is offering an extra, one-time $5,000 reward for the ability to break into any of the specified client or freelancer accounts and steal the funds allocated to it. The account is: bugcrowd-client@upwork.com and bugcrowd-freelancer@upwork.com.

  • Please provide complete reproduction steps for how you were able to capture the flag
  • Bruteforcing credentials to break in is still out of scope as per the regular scoping rules.
  • Use of Social Engineering to take-over the account is still out of scope as per the regular scoping rules.

Disclosure terms

This program has a coordinated disclosure policy. Disclosures requests will be reviewed on a case by case basis.


Scope and rewards

Program rules

This program follows Bugcrowd’s standard disclosure terms.

For any testing issues (such as broken credentials, inaccessible application, or Bugcrowd Ninja email problems), please submit through the Bugcrowd Support Portal. We will address your issue as soon as possible.

This program does not offer financial or point-based rewards for P5 — Informational findings. Learn more about Bugcrowd’s VRT.