Learn how to responsibly report suspicious activity or security vulnerabilities on Upwork using the Bug Bounty Program and disclosure guidelines.
Looking for the way to report suspicious activity on Upwork? See this Help article.
At Upwork, we take the security of our users very seriously. We're committed to tirelessly working to verify, reproduce, and respond to legitimate vulnerabilities, and we encourage you to participate in our responsible reporting process.
If you believe you've discovered a potential security vulnerability on any of the Upwork.com domains, please help us fix it by reporting your findings via our Upwork Bug Bounty Program. Note: Publicly disclosing a vulnerability can put the entire community at risk, so we urge those to keep matters private until we can resolve the issue.
We investigate all reported vulnerabilities, using a third-party service to validate the vulnerability.
Guidelines for reporting
Your submission will be reviewed and validated by a member of the Information Security team. Providing clear and concise steps to reproduce the issue will help us get back to you sooner.
- Please share the security issue with us before making it public on message boards, mailing lists, or other forums
- When submitting a vulnerability, please follow all steps and guidelines provided by Upwork Bug Bounty Program
- Please do not engage in security research that involves:
- Potential or actual damage to Upwork users, systems, or applications
- Use of an exploit to view data without authorization that involves the corruption of data
- Requests for compensation for the reporting of security issues through any external marketplace for vulnerabilities, whether black-market or otherwise