FireBounty
52235 policies in database
Link to program      
2018-06-20
2021-03-31
Upwork logo
Thank
Gift
HOF
Reward

Reward

120 $ 

Upwork

Upwork

For this program, we're inviting researchers to test our freelancer platform and mobile iOS/Android/Desktop apps. Our goal with this program is to ensure that our customers are using a secure platform that's free of security vulnerabilities.

Please note: Upwork regularly releases new code, updates will be posted in the announcement section highlighting new code. This is a great opportunity for Upwork and the researcher community to work together to find vulnerabilities! Watch for new releases on Upwork's Blog.

Special Bonuses and Rewards

CTF

Upwork is offering a an extra, one-time $5,000 reward for the ability to find reverse shell, bind shell, or meterpreter shell

  • Researchers need to get reverse shell, bind shell, or meterpreter shell of any Upwork in-scope instance and provide a PoC.
  • Please provide complete reproduction steps for how you were able to capture the flag

Ongoing

Momentum Bonus, the more you submit, the more you earn!

  • There is a 7-day sliding window where you can build momentum on your rewards for the Upwork program. Every accepted bug submitted during this window will earn you a 10% increase on your payout. For example, if you submit 3 bugs in one week the first pays 100%, the second pays 110%, the third pays 120%, etc. this scales to a maximum payout amount of 200% (double reward) the original value.

Upwork is offering an extra, one-time $5,000 reward for the ability to break into any of the specified client or freelancer accounts and steal the funds allocated to it. The account is: bugcrowd-client@upwork.com and bugcrowd-freelancer@upwork.com.

  • Please provide complete reproduction steps for how you were able to capture the flag

  • Bruteforcing credentials to break in is still out of scope as per the regular scoping rules.

  • Use of Social Engineering to take-over the account is still out of scope as per the regular scoping rules.

Scope and rewards

Program rules

This program follows Bugcrowd’s standard disclosure terms.

For any testing issues (such as broken credentials, inaccessible application, or Bugcrowd Ninja email problems), please email support@bugcrowd.com. We will address your issue as soon as possible.

This program does not offer financial or point-based rewards for P5 — Informational findings. Learn more about Bugcrowd’s VRT.

In Scope

Scope Type Scope Name
android_application

Upwork - Android Application
api

https://www.upwork.com/api
api

api.upwork.com/graphql
hardware

Upwork Dash Messenger Desktop Version (www.upwork.com/downloads)
ios_application

Upwork - iOS Application
undefined

Direct Contracts
web_application

www.upwork.com

Out of Scope

Scope Type Scope Name
undefined

Social media hijacking
undefined

Any subdomain/domain/property not listed in the 'in scope' section, is out of scope.
undefined

Any Third-party Services
web_application

support.upwork.com
web_application

community.stage.upwork.com
web_application

community.upwork.com
web_application

stage.upwork.com
web_application

e.upwork.com
web_application

status.upwork.com
web_application

signature.upwork.com
web_application

careers.upwork.com
web_application

tip.upwork.com
web_application

pardot.upwork.com

This program crawled on the 2018-06-20 is sorted as bounty.

FireBounty © 2015-2024

Legal notices | Privacy policy