Report Suspected Site Vulnerabilities

At Upwork, we take the security of our users very seriously. Upwork values the work done by security researchers in improving the security of our products and service offerings. We are committed to working with this community to verify, reproduce, and respond to legitimate reported vulnerabilities. We encourage the community to participate in our responsible reporting process. For more information about reporting Upwork-related suspicious activity by a fellow user, click here instead.

If you believe you have discovered a potential security vulnerability on any of the domains, please help us fix it as quickly as possible by reporting your findings to us following our Guidelines for Responsible Disclosure (described below). Publicly disclosing a vulnerability can put the entire community at risk, so we urge those reporting vulnerabilities to keep matters private until we can resolve the issue.

Security is very important at Upwork. We investigate all reported vulnerabilities, using a third party service to validate the vulnerability and ensure the appropriate monetary reward to the researcher if they follow the Guidelines for Responsible Disclosure.


Guidelines for Responsible Disclosure

At Upwork, we recognize the important role that security researchers and our community play in keeping Upwork and our customers secure. If you discover a vulnerability on, please notify us by email at using the following guidelines:

  • Please share the security issue with us before making it public on message boards, mailing lists, or other forums.
  • Please wait until we notify you that the vulnerability has been resolved before you disclose it to others.  We take the security of our customers very seriously, and some vulnerabilities take longer than others to resolve.
  • When submitting a vulnerability, please provide a clear, concise description of steps to reproduce the vulnerability.
  • Please provide full details of the security issue, including Proof-of-Concept URL and the details of the system where the tests were conducted.
  • To receive credit, you must be the first to report the vulnerability, and you must provide us a reasonable amount of time to remediate before you disclose the issue publicly. We use a third party service to validate the vulnerability and provide monetary rewards to the researcher.
  • Your submission will be reviewed and validated by a member of the Information Security team. Providing clear and concise steps to reproduce the issue will help to expedite the response.
  • Please do not engage in security research that involves:
    • Potential or actual damage to Upwork users, systems, or applications.
    • Use of an exploit to view data without authorization that involves the corruption of data.
    • Requests for compensation for the reporting of security issues through any external marketplace for vulnerabilities, whether black-market or otherwise.

Have more questions? Submit a request


Choose your user type
Please select...
  • Freelancer
  • Client
  • Agency
Select your issue category and subcategory
Please select...
Frequently Asked Questions
Provide more details:
Provide more details:
  • Discuss with Upwork Community
Provide more details:
The contract you have issues with:
Your Client/Freelancer’s name:
Attachment (for example, screenshots):
Add Files

    Your request has been submitted

    Your ticket number is XXXXXXXXX
    We will email you as soon as we can.

    Our apologies. Something went wrong.

    Your ticket was not submitted.
    For immediate help, please check out the options to the right.
    • Chat with Customer Service
    • Discuss with Upwork Community
    Powered by Zendesk