Upwork
External Program
Submit bugs directly to this organization
Upwork
Upwork takes security very seriously, and investigates all reported vulnerabilities. This page describes our practice for addressing potential vulnerabilities in any aspect of our services.
If you are a security expert or researcher and would like to report a vulnerability regarding Upwork services, please e-mail [email protected].
So that we may more effectively evaluate your report, please provide any supporting material (steps to reproduce, proof-of-concept code, etc.) that would be useful in helping us understand the nature and severity of the vulnerability.
The information you share with Upwork as part of this process is kept confidential within Upwork. It will not be shared with third parties without your permission unless necessary to enforce or comply with the law.
Once the report has been submitted, Upwork will work to validate the reported vulnerability. If additional information is required in order to validate or reproduce the issue, Upwork will contact you to obtain it.
Upwork uses version 2.0 of the Common Vulnerability Scoring System (CVSS) to evaluate potential vulnerabilities. The resulting score helps quantify the severity of the issue and to prioritize our response. For more information on CVSS, please see the CVSS-SIG announcement.
If applicable, Upwork will coordinate public notification of a validated vulnerability with you. When possible, we would prefer that our respective public disclosures be posted simultaneously.
In order to protect our customers, Upwork requires that you not post or share any information about a potential vulnerability in any public setting until we have researched, responded to, and addressed the reported vulnerability and informed customers if needed. Also, you may not post or share any data belonging to our company or our customers. Addressing a valid reported vulnerability will take time. This will vary based on the severity of the vulnerability and the affected systems.