Upwork

  • $120 – $5,000 per vulnerability
  • Up to $10,000 maximum reward
  • Partial safe harbor
  • Managed by Bugcrowd

Program stats

495 vulnerabilities rewarded

Validation within 3 days
75% of submissions are accepted or rejected within 3 days

$1,687.28 average payout (last 3 months)

Latest hall of famers

Recently joined this program

Disclosure

Please note: This program does not allow disclosure. You may not release information about vulnerabilities found in this program to the public.

Upwork

For this program, we're inviting researchers to test our freelancer platform and mobile iOS/Android/Desktop apps. Our goal with this program is to ensure that our customers are using a secure platform that's free of security vulnerabilities.

Please note: Upwork regularly releases new code, updates will be posted in the announcement section highlighting new code. This is a great opportunity for Upwork and the researcher community to work together to find vulnerabilities! Watch for new releases on Upwork's Blog.


Special Bonuses and Rewards

CTF

Upwork is offering a an extra, one-time $5,000 reward for the ability to find reverse shell, bind shell, or meterpreter shell

  • Researchers need to get reverse shell, bind shell, or meterpreter shell of any Upwork in-scope instance and provide a PoC.
  • Please provide complete reproduction steps for how you were able to capture the flag

Ongoing

Momentum Bonus, the more you submit, the more you earn!

  • There is a 7-day sliding window where you can build momentum on your rewards for the Upwork program. Every accepted bug submitted during this window will earn you a 10% increase on your payout. For example, if you submit 3 bugs in one week the first pays 100%, the second pays 110%, the third pays 120%, etc. this scales to a maximum payout amount of 200% (double reward) the original value.

Upwork is offering an extra, one-time $5,000 reward for the ability to break into any of the specified client or freelancer accounts and steal the funds allocated to it. The account is: bugcrowd-client@upwork.com and bugcrowd-freelancer@upwork.com.

  • Please provide complete reproduction steps for how you were able to capture the flag
  • Bruteforcing credentials to break in is still out of scope as per the regular scoping rules.
  • Use of Social Engineering to take-over the account is still out of scope as per the regular scoping rules.

Scope and rewards

Program rules

This program follows Bugcrowd’s standard disclosure terms.

For any testing issues (such as broken credentials, inaccessible application, or Bugcrowd Ninja email problems), please email support@bugcrowd.com. We will address your issue as soon as possible.

This program does not offer financial or point-based rewards for P5 — Informational findings. Learn more about Bugcrowd’s VRT.