Upwork

For this program, we're inviting researchers to test our freelancer platform and mobile iOS/Android/Desktop apps. Our goal with this program is to ensure that our customers are using a secure platform that's free of security vulnerabilities.

Please note: Upwork regularly releases new code, updates will be posted in the announcement section highlighting new code. This is a great opportunity for Upwork and the researcher community to work together to find vulnerabilities! Watch for new releases on Upwork's Blog.

---

Special Bonuses and Rewards

CTF

Upwork is offering a an extra, one-time $5,000 reward for the ability to find reverse shell, bind shell, or meterpreter shell

• Researchers need to get reverse shell, bind shell, or meterpreter shell of any Upwork in-scope instance and provide a PoC.
• Please provide complete reproduction steps for how you were able to capture the flag

Ongoing

Momentum Bonus, the more you submit, the more you earn!

• There is a 7-day sliding window where you can build momentum on your rewards for the Upwork program. Every accepted bug submitted during this window will earn you a 10% increase on your payout. For example, if you submit 3 bugs in one week the first pays 100%, the second pays 110%, the third pays 120%, etc. this scales to a maximum payout amount of 200% (double reward) the original value.

Upwork is offering an extra, one-time $5,000 reward for the ability to break into any of the specified client or freelancer accounts and steal the funds allocated to it. The account is: bugcrowd-client@upwork.com and bugcrowd-freelancer@upwork.com.

• Please provide complete reproduction steps for how you were able to capture the flag
• Bruteforcing credentials to break in is still out of scope as per the regular scoping rules.
  
• Use of Social Engineering to take-over the account is still out of scope as per the regular scoping rules.

---

Any domain/property of Upwork not listed in the targets section is out of scope. This includes any/all subdomains not listed above. If you happen to identify a security vulnerability on a target that is not in-scope, but that demonstrably belongs to Upwork, it may be reported to this program, and is appreciated - but will ultimately be marked as 'not applicable' and will not be eligible for monetary or points-based compensation.

---

Ratings/Rewards

For the initial prioritization/rating of findings (with a few exceptions), this program will use the Bugcrowd Vulnerability Rating Taxonomy.

However, it is essential to note that in some cases, a vulnerability priority will be modified due to its likelihood or impact. In any instance where an issue is downgraded, a full, detailed explanation will be provided to the researcher - along with the opportunity to appeal and make a case for a higher priority.

Please see Target Information for exclusions specific to this program.

Rewards

Priority	iOS, Android	Web, Desktop, API
P1	$5,000	$2,000
P2	$2,000	$1,200
P3	$720	$480
P4	$300	$120

---

Requirements

The following requirements are needed to test - not abiding by these rules may result in you not being ineligible from receiving the full reward amount or may lead to being suspended from testing and/or removal from the program.

• User-Agent - To participate in the Upwork Bug Bounty, please configure your scanner to include bugcrowd in the user-agent string. Failure to do so may result in your IP being temporarily blocked from participation in the program.

• Access / Upwork Account - You can self-register for an Upwork account and Upwork API using your @bugcrowdninja.com email address. Testing using any other account is out of scope. Failure to use your @bugcrowdninja.com address may result in your account being temporarily locked or being suspended from participating in the program.

---

Target information

• Please note that the mobile web app is available at: https://upwork.com/mobile
• Information on the public messaging API is available at: https://developer.upwork.com and also attached to the listing.
• To view a list of what will likely be the best areas to focus on to find valid and unique findings, please go here
• Android application, Clients
• Android application, Freelancers
• iOS applications
• Upwork Developers
• Worth noting, Upwork is designed to help people find jobs and posting/viewing resumes and other PII is a core component of the service. While you may submit findings, it must have a clear threat or business impact for Upwork; otherwise, it is likely to be marked as won't fix or informational.

Access/credentials

Please sign up for an Upwork account and Upwork API using your @bugcrowdninja.com email address. Only basic/free access is provided by the Upwork team for this program, you are welcome to test the API using a paid account, but these are not offered at this time.

• Sign up for Upwork API
• How do I get started as a client?
• Getting Started as a Freelancer

When testing please only test against jobs that you have created - do not test against jobs owned by persons other than yourself

---

Exclusions

• All CSRF vulnerabilities will likely be evaluated at the P4 level
• Social Engineering
• Uploading of any vulnerability or client-related content to third-party utilities (e.g., Github, DropBox)
• Network-layer D/DoS (If you suspect an application-layer D/DoS, contact Bugcrowd to review the vulnerability. Do not proof-of-concept application-layer D/DoS attacks without prior consent)
• All attack payload data must use professional language (ex: "test" rather than "this has been hacked.")
• If able to gain access to a system, accounts, users, or user data, stop at the recognition of and report. Do not dive deeper to determine how much more is accessible.
• Vulnerabilities affecting users of outdated browsers, plugin, platforms, or operating systems.
• Github Repos not associated with cloud.upwork.com or upwork.com.
• 2FA exploits are of low value for this team and will be marked as Not Applicable

Additionally, the following vulnerabilities are considered too low of an impact and will be marked as Out of Scope if submitted

Web

• User Account Social Media Account (Twitter for example) hijacking via a broken link
• Account/email enumeration using brute-force attacks
• Any low impact issues related to session management (i.e., concurrent sessions, session expiration, password reset/change logout, etc.)
• Bypassing content restrictions in uploading a file without proving the file was received
• Clickjacking/UI redressing
• Incomplete or missing SPF/DMARC/DKIM records
• Issues related to password/credential strength, length, lockouts, or lack of brute-force/rate-limiting protections
• Lack of SSL or Mixed content
• Missing Cookie flags
• Reflected file download attacks (RFD)
• Self-exploitation (i.e., password reset links or cookie reuse)
• URL Redirection
• Use of a known-vulnerable library which leads to a low-impact vulnerability (i.e., outdated jQuery version leads to low impact XSS)
• Vulnerabilities affecting users of outdated browsers, plugins or platforms
• Vulnerabilities that allow for the injection of arbitrary text without allowing for hyperlinks, HTML, or JavaScript code to be injected
• Vulnerabilities that require the user/victim to perform improbable actions (i.e., Self-XSS)

Android

• android:debuggable=" true" in Android Manifest
• android:allowBackup set to true (by default)
• Information disclosure via Toast messages

iOS

• Information leakage in backgrounding snapshots
• Information leakage in keystroke caching

Both

• Copy & Paste disabled for sensitive fields
• Pasteboard data cached
• The application asks for more permission than its needs
• Two-factor authentication bypass that requires physical access to a logged-in device
• Any issue in the mobile app that can only be exploited on a rooted or jailbroken device
• Any issue exploited in the mobile app because of an operating system vulnerability
• Local access to user data when operating a rooted mobile device

This list will be updated if we see a particular vuln that is systemic and sitewide. Please check this list often. This is for your benefit and to save you the trouble of searching the analytics

Privacy Considerations are OOS

Upwork is Privacy Shield certified. Upwork has received TRUSTe's Privacy Seal signifying that our privacy policy and practices comply with the TRUSTe program requirements, including transparency, accountability, and choice regarding the collection and use of personal information. Upwork is GDPR compliant.