Upwork

For this program, we're inviting researchers to test our freelancer platform and mobile iOS/Android/Desktop apps. Our goal with this program is to ensure that our customers are using a secure platform that's free of security vulnerabilities.

Please note: Upwork regularly releases new code, updates will be posted in the announcement section highlighting new code. This is a great opportunity for Upwork and the researcher community to work together to find vulnerabilities! Watch for new releases on Upwork's Blog.

---

Special Bonuses and Rewards

CTF

Upwork is offering a an extra, one-time $5,000 reward for the ability to find reverse shell, bind shell, or meterpreter shell

• Researchers need to get reverse shell, bind shell, or meterpreter shell of any Upwork in-scope instance and provide a PoC.
• Please provide complete reproduction steps for how you were able to capture the flag

Ongoing

Momentum Bonus, the more you submit, the more you earn!

• There is a 7-day sliding window where you can build momentum on your rewards for the Upwork program. Every accepted bug submitted during this window will earn you a 10% increase on your payout. For example, if you submit 3 bugs in one week the first pays 100%, the second pays 110%, the third pays 120%, etc. this scales to a maximum payout amount of 200% (double reward) the original value.

Upwork is offering an extra, one-time $5,000 reward for the ability to break into any of the specified client or freelancer accounts and steal the funds allocated to it. The account is: bugcrowd-client@upwork.com and bugcrowd-freelancer@upwork.com.

• Please provide complete reproduction steps for how you were able to capture the flag
• Bruteforcing credentials to break in is still out of scope as per the regular scoping rules.
  
• Use of Social Engineering to take-over the account is still out of scope as per the regular scoping rules.

---