Upwork

For this program, we're inviting researchers to test our freelancer platform and mobile iOS/Android/Desktop apps. Our goal with this program is to ensure that our customers are using a secure platform that's free of security vulnerabilities.

Please note: Upwork regularly releases new code, updates will be posted in the announcement section highlighting new code. This is a great opportunity for Upwork and the researcher community to work together to find vulnerabilities! Watch for new releases on Upwork's Blog.

---

Important Update

Due to internal engineering efforts around GraphQL, we will be taking api.upwork.com/graphql out of scope on July 1st, 2022 and momentum bonus for this API endpoint will be taken out immediately. We are asking everyone if they have any pending submissions for this API endpoint, please submit them by July 1st, 2022.
We want to thank you all for a continued support and looking forward for your submissions.

---

BONUS REWARDS

Upwork will be offering a DOUBLE rewards bonus for all valid P1/P2 submissions beginning on June 13th, 2022. This bonus will expire on June 28th, 2022. Until expiration the updated reward ranges are as follows:

Update: Due to a systemic issue the team has found, this bonus will be ending early.

• P1: $10,000
• P2: $4,000

Note, bonuses are subject to change. If you have any questions, please reach out to support@bugcrowd.com. More importantly, happy hunting!!

---

Special Bonuses and Rewards

CTF

Upwork is offering a an extra, one-time $5,000 reward for the ability to find reverse shell, bind shell, or meterpreter shell

• Researchers need to get reverse shell, bind shell, or meterpreter shell of any Upwork in-scope instance and provide a PoC.
• Please provide complete reproduction steps for how you were able to capture the flag

Ongoing

Momentum Bonus, the more you submit, the more you earn!

• There is a 7-day sliding window where you can build momentum on your rewards for the Upwork program, going forward, submissions made within the 7-day sliding window will be sorted by the severity assigned and the momentum bonus will be applied from highest to lowest severity, for example if you submit 3 bugs in this sequence [P3, P2, P1] within a 7 day sliding window, the submissions will be sorted by severity [P1, P2, P3] and the first (Bug with P1 Severity) pays 100%, the second (Bug with P2 Severity) pays 110%, the third (Bug with P3 Severity) pays 120%, etc. This scales to a maximum payout amount of 200% (double reward) the original value.

Upwork is offering an extra, one-time $5,000 reward for the ability to break into any of the specified client or freelancer accounts and steal the funds allocated to it. The account is: bugcrowd-client@upwork.com and bugcrowd-freelancer@upwork.com.

• Please provide complete reproduction steps for how you were able to capture the flag
• Bruteforcing credentials to break in is still out of scope as per the regular scoping rules.
  
• Use of Social Engineering to take-over the account is still out of scope as per the regular scoping rules.

---