At Upwork, we take the security of our users very seriously. Upwork values the work done by security researchers in improving the security of our products and service offerings. We are committed to working with this community to verify, reproduce, and respond to legitimate reported vulnerabilities. We encourage the community to participate in our responsible reporting process. For more information about reporting Upwork-related suspicious activity by a fellow user, click here instead.
If you believe you have discovered a potential security vulnerability on any of the upwork.com domains, please help us fix it as quickly as possible by reporting your findings to us following our Guidelines for Responsible Disclosure (described below). Publicly disclosing a vulnerability can put the entire community at risk, so we urge those reporting vulnerabilities to keep matters private until we can resolve the issue.
Security is very important at Upwork. We investigate all reported vulnerabilities, using a third party service to validate the vulnerability and ensure the appropriate monetary reward to the researcher if they follow the Guidelines for Responsible Disclosure.
Guidelines for Responsible Disclosure
At Upwork, we recognize the important role that security researchers and our community play in keeping Upwork and our customers secure. If you discover a vulnerability on upwork.com, please notify us by email at firstname.lastname@example.org using the following guidelines:
- Please share the security issue with us before making it public on message boards, mailing lists, or other forums.
- Please wait until we notify you that the vulnerability has been resolved before you disclose it to others. We take the security of our customers very seriously, and some vulnerabilities take longer than others to resolve.
- When submitting a vulnerability, please provide a clear, concise description of steps to reproduce the vulnerability.
- Please provide full details of the security issue, including Proof-of-Concept URL and the details of the system where the tests were conducted.
- To receive credit, you must be the first to report the vulnerability, and you must provide us a reasonable amount of time to remediate before you disclose the issue publicly. We use a third party service to validate the vulnerability and provide monetary rewards to the researcher.
- Your submission will be reviewed and validated by a member of the Information Security team. Providing clear and concise steps to reproduce the issue will help to expedite the response.
- Please do not engage in security research that involves:
- Potential or actual damage to Upwork users, systems, or applications.
- Use of an exploit to view data without authorization that involves the corruption of data.
- Requests for compensation for the reporting of security issues through any external marketplace for vulnerabilities, whether black-market or otherwise.