This article focuses on website vulnerability, including possible opportunities for hackers. For more information about reporting Upwork-related suspicious activity by a fellow user, go here instead.

At Upwork, we take the security of our users very seriously. We are committed to tirelessly working to verify, reproduce, and respond to legitimate vulnerabilities, and we value the work done by security researchers in improving the security of our products and service offerings. We encourage the Upwork community to participate in our responsible reporting process.

If you believe you have discovered a potential security vulnerability on any of the Upwork.com domains, please help us fix it by reporting your findings to us while following our Guidelines for Responsible Disclosure (described below). Publicly disclosing a vulnerability can put the entire community at risk, so we urge those reporting vulnerabilities to keep matters private until we can resolve the issue.

Security is very important at Upwork. We investigate all reported vulnerabilities, using a third-party service to validate the vulnerability and ensure the appropriate monetary reward to the reporter if they follow the Guidelines for Responsible Disclosure.

Guidelines for Responsible Disclosure


At Upwork, we recognize the important role that security researchers and our community play in keeping Upwork and our customers secure. If you discover a vulnerability on Upwork.com, please notify us by email at security-reports@upwork.com using the following guidelines:

  • Please share the security issue with us before making it public on message boards, mailing lists, or other forums.
  • Please wait until we notify you that the vulnerability has been resolved before you disclose it to others. We take the security of our customers very seriously, and some vulnerabilities take longer than others to resolve.
  • When submitting a vulnerability, please provide a clear, concise description of steps to reproduce the vulnerability.
  • Please provide full details of the security issue, including Proof-of-Concept URL and the details of the system where the tests were conducted.
  • To receive credit, you must be the first to report the vulnerability, and you must provide us with a reasonable amount of time to remediate it before you disclose the issue publicly. We use a third-party service to validate the vulnerability and provide monetary rewards to the reporter.
  • Your submission will be reviewed and validated by a member of the Information Security team. Providing clear and concise steps to reproduce the issue will help to expedite the response.
  • Please do not engage in security research that involves:
    • Potential or actual damage to Upwork users, systems, or applications.
    • Use of an exploit to view data without authorization that involves the corruption of data.
    • Requests for compensation for the reporting of security issues through any external marketplace for vulnerabilities, whether black-market or otherwise.

Log in to get personalized help.