Looking for the way to report suspicious activity on Upwork? See this Help article.

At Upwork, we take the security of our users very seriously. We are committed to tirelessly working to verify, reproduce, and respond to legitimate vulnerabilities, and we value the work done by security researchers in improving the security of our products and service offerings. We encourage the Upwork community to participate in our responsible reporting process.

If you believe you have discovered a potential security vulnerability on any of the Upwork.com domains, please help us fix it by reporting your findings under our Upwork Bug Bounty Program. Publicly disclosing a vulnerability can put the entire community at risk, so we urge those reporting vulnerabilities to keep matters private until we can resolve the issue.

Security is very important at Upwork and we recognize the important role that security researchers and our community play in keeping Upwork and our customers secure. We investigate all reported vulnerabilities, using a third-party service to validate the vulnerability and ensure the appropriate monetary reward to the reporter if they follow the bug bounty program requirements and guidelines.

If you discover a vulnerability on Upwork.com, please submit your report via Upwork Bug Bounty Program.

Guidelines and Process for Responsible Disclosure

Your submission will be reviewed and validated by a member of the Information Security team. Providing clear and concise steps to reproduce the issue will help to expedite the response.

• Please share the security issue with us before making it public on message boards, mailing lists, or other forums.
• When submitting a vulnerability, please follow all steps and guidelines provided by Upwork Bug Bounty Program.
• Please do not engage in security research that involves:
  • Potential or actual damage to Upwork users, systems, or applications.
  • Use of an exploit to view data without authorization that involves the corruption of data.
  • Requests for compensation for the reporting of security issues through any external marketplace for vulnerabilities, whether black-market or otherwise.