Comcast Xfinity Vulnerability Disclosure Program

  • Points per vulnerability
  • Partial safe harbor
  • Managed by Bugcrowd

Program stats

454 vulnerabilities rewarded

Validation within 3 days
75% of submissions are accepted or rejected within 3 days

Latest hall of famers

Recently joined this program

625 total

Disclosure

Please note: This program does not allow disclosure. You may not release information about vulnerabilities found in this program to the public.

Comcast provides Xfinity Internet, TV, wireless, home automation, and more to tens of millions of residential customers, in addition to Comcast Business services to enterprise and small business customers. With so many devices and services in homes and businesses, it has never been more important to ensure the security of those products while striving to deliver an experience that is simple, elegant and powerful. With this in mind, we remain committed to working with security researchers and alongside the security community, and will maintain trust, respect, and transparency that aligns with our commitment to security and privacy.


Ratings:

For the initial prioritization/rating of findings, this program will use the Bugcrowd Vulnerability Rating Taxonomy. However, it is important to note that in some cases a vulnerability priority will be modified due to its likelihood or impact. In any instance where an issue is downgraded, a full, detailed explanation will be provided to the researcher - along with the opportunity to appeal, and make a case for a higher priority.

This program only awards points for VRT based submissions.

Targets

In scope

Target name Type Tags
*.xfinity.com Website Testing
  • Windows
  • ASP.NET
  • ReactJS
  • jQuery
  • Microsoft IIS
  • Website Testing
*.comcast.com Website Testing
  • Windows
  • ASP.NET
  • ReactJS
  • jQuery
  • Microsoft IIS
  • Website Testing
*.sys.comcast.net Website Testing
  • Website Testing
https://business.comcast.com/account Website Testing
  • Windows
  • ASP.NET
  • ReactJS
  • jQuery
  • Lodash
  • Microsoft IIS
  • Website Testing
Internet - All devices, including Broadband Gateways Hardware Testing
  • Hardware Testing
TV - Xfinity hardware and services Website Testing
  • Website Testing
Flex - Xfinity hardware and services Website Testing
  • Website Testing
Voice - Hardware and service Website Testing
  • Website Testing
Mobile Apps iOS and Android Other
  • Mobile Application Testing
  • iOS
  • Objective-C
  • Swift
  • SwiftUI
  • Android
  • Java
  • Kotlin
Xfinity Home Other
  • Hardware Testing

Targets:

September 2020 Bonus

For the entire month of September, we will be rewarding $1,250 for valid submissions that fall in the following categories:

  • RCE
  • XXE
  • File Inclusion
  • Command Injection
  • SQL Injection

In addition to the reward, we will invite you to a current or future private program.

In-Scope:

Our Vulnerability Disclosure Program aims to encompass all the technologies, products, and services that Comcast Xfinity and Comcast Business provides.

All endpoints called by these services and applications are in-scope. If you are unsure if something is owned or maintained by us, please let us know and we will make a best effort to determine if we can assist. If you are just getting started, you might consider the following:

Xfinity Product Description
*xfinity.com Primary Xfinity domains and customer access
*.comcast.com Main corporate domains
business.comcast.com/* Primary Comcast Business customer domains
Internet All devices, including Broadband Gateways
TV Xfinity hardware and services
Flex Xfinity hardware and services
Mobile Services and apps
Voice Hardware and service
Mobile Apps iOS and Android
Xfinity Home Please refer to our Xfinity Home & xFi Bug Bounty Program
Xfinity xFi Please refer to our Xfinity Home & xFi Bug Bounty Program

We do not offer accounts or credentials for testing purposes.


Out-of-Scope:

As an Internet Service Provider, technologies hosted by residential or business customers are considered out-of-scope. These can typically be identified by the FQDN format below.

  • *.hfc.comcastbusiness.net
  • *.hsd1.*.comcast.net

Please Note: You can still email us at securitydefectreporting@comcast.com and we will route it to the appropriate customer security team, but we are unable to accept them as part of this program.

Additionally, any vulnerabilities regarding these brands and entities are also out-of-scope:

  • NBCUniversal
  • Sky

Exclusions:

  • Email spoofing issues (e.g., SPF, DKIM, DMARC)
  • Automated scan reports or search engine results (ie, Shodan) without valid proof of concept
  • Physical tampering of our hardware devices
  • Load Testing (DoS, DDoS, wireless jamming, etc.)

Rules:

  • Do not access, impact, destroy or otherwise negatively impact any residential or business customers, or customer data in anyway

  • Do not test against any type of customer account without explicit permission

Additional Information:

  • For customers who are experiencing abuse-related issues such as phishing, spam and identity theft, the Customer Security Assurance organization has been established to respond to your issues. Their contact information can be found at our Report Abuse page.

If you believe a vulnerability is particularly sensitive, you may use our PGP key to encrypt your report.

PGP Key:

-----BEGIN PGP PUBLIC KEY BLOCK-----
Version: GnuPG v2

mQINBFjVUb4BEADX4dYZPQ7dUhOzvzqh8gcA78oWOC8C/h4GOmj0ItC+iCbQ9SmH
pVewI8Phnr0SQCBH5SfGVSZDN21jiiGHmKi7wLk86rg585nAvMFB3Yq2xlPVTsF7
oburm7/5nE36IJ5WaKk7wOH+Jt7D3eDAXoYodiHeH5iJlO8qBCLYpya6MLeNDd6d
HTrSM+hd77pdN3/0s6ebN6fRsaem8md8tt6s/xZa67G+8Y1giduKy0VKFA0D+mD1
kEYrMxdAik55blacL6Jt2BliUfB503xw0SMVwgWA5ZU3ZJJSGAza32PpTqo2vYCn
97we287JEwFx5rN/WAILpo9AU0Ck+Lg/D1YAutjrV5QAeMQa/haFlu5wiJuSasb+
dtiOcP/7SjHCZo+UjqNr1kFx3yUJqYSSExmOJMNHo49Q9Nhqm8MZWRJLdcB3JDo1
xNhfQYq9T/PvbEy5A/jBX/SCYA+IqRQ6yZ6xdL3Hl6tqPoU6xJu6PIq39ADExBCi
9HQcmFIye+C2GxBjgS5UAPuO6rbxk69N9eNulWLrUQhMMhFGob29OjC7RvyOLeD7
rUfjJgPM+QvCD6LEYPuu2f2iQK4IbCiQMYSANPdOaoJ3upttMt0uUydPBJCbWiN6
Cg1ujN4Q52bKNhuArD0QYyBlEOiD/qhBKKBlw/5OC/TYKPaYWyqpi5PXvQARAQAB
tEdDb21jYXN0IFNlY3VyaXR5IERlZmVjdCBSZXBvcnRpbmcgPHNlY3VyaXR5ZGVm
ZWN0cmVwb3J0aW5nQGNvbWNhc3QuY29tPokCOQQTAQgAIwUCWNVRvgIbAwcLCQgH
AwIBBhUIAgkKCwQWAgMBAh4BAheAAAoJEPZc70/KMxD7T48P/RKfFreBFhTsb1qT
G4S2uxXKEQsuPEl+jY9D1HThPqMDNHj/IiVB5Y+MIbSRtth3dwYQB4U4do+/aIaz
nIFwyrZ3/z0+81j96jTr0gBfP+wrzrwEly64Pp2JYJnC6ktENggE0hNSVZTQnnY1
uvRP/tuSmctJbMCzNPLiFfd09mTyky6FlwYNWUGv9bgs6wDI853ocVVTWwmY4s4i
bWdNHmBWKyrt5TB22bgJAqtmN4DBYgjM3eTT/QSjLk1ACircsOoGFOJc1/mvT11/
wgofyxOERKabw5F4A+AIU1P93Sui7lmlpo4+prcrb5pn/lvAjTkuF0B2GOaz0MoJ
OhkunTZQNFaXKF5FACz0+cqitekyi3WH8aao+jYRg2XGmjJKDqrlr+ZS+mXQdCV3
B9flNGCe2PS7dvkU3Rwo3laiumKz8Ub9UOJ2eJLPVGUWM9VGgyGF2Dg03CK6c/ex
NxITPs1IHJ4rwq1SdwTvsQCIt/D752xMw7oOd96hTvulYYs3OGTcj49+AehUm47c
aZ3LHDZ1zSa0hNfAQRfhHcZ8Bdwt51KNPzcOGeh5N0jULXTx90f0fXWpRZ3nMp2c
4NOXQWehlnSMvi8QvFag2RIyK7ue1rs003iibjav5+AT5f5HJ5sMklSe1C4xQGID
tzN3nNOCpEftlZoimNDsxTFgc8UHuQINBFjVUb4BEADTuW1kAieOxRuWhs5l864h
j7kVt5Rpf8yFOD+26s8oi8JZNq9UX8EoMY+0OK/nRa/KLHDNEFQ5DuwIRuV5kNGB
3aiS/H4bfOThKdNZywFvMdmOcEaUPOjVONbt3uQLBkTfAvu+vkaEhvm5UJksLJkz
TxTK0UiRL13EeSgCSWZSYj5wehh2NJ0zTRgQBL7FGHjV9Yh6xkHDPNPkrN2RPPNo
8DA6c4JQXlUN9hdvUMdtzo+ZzPSaZPYB45DlNboXUaIacl4sGGSnYUiuuHn43KEi
sndw4r1T7WG1l5QSPxMmZc5nrwxZFTx1UCBLoCuG2ByFQf350PEcw0p9JLtpdrYk
mI54MVXY7Ge2SVJQ0dSKRe9XWASUS83LYzv6Sya1ptA1M/BjadW8or+cQ2bL79MB
RYS2evvfxcz/IlnQmScEkBB6QpwAgl1d9ELijo9qG6SYgSqPpL36+R8HTMulLml0
JOqFoVw4+Uye9u6dzh6bDg9wz1oxKVUDyYvA2vJdFlZUEFsi3f6BR/wCn/q55NUz
/drgQd/ycsXTMEqWGoxkJF3kBBw25+5JX7PxkrOTZxvWbuHN+bG48EAbwSELDkGD
k5Un5EzQh5lWSteSIiWAiVZKbXZum7zZIxEa5tXJNrMIUqEOJa89upUBtH39JEYh
KTqlnLEkc7tMdzMhoxTnOwARAQABiQIfBBgBCAAJBQJY1VG+AhsMAAoJEPZc70/K
MxD70awP/iVQmM2KWXxjb+ZUyP7WPuWP2E3wX+HSbcK9bh84Zlois6wA0Fp2g9WU
y7F/to7bZKFp1XamZcf7QZEs1Ee8YSv1NNKTa983UtBebnhFguk9qnv9St+VaE6k
Hnsp3NDaSN2UGXqLmJhA/THaoI99nuhfHumnX+aQY8Yrnvs/V1I2IaJ6t8MWNEuq
kseVKYmbWh7PcIEIxwryhwFh36cj4RgVhidjbrbSk1a5iDpcl77jV6JsUcuLVmjN
rJDxX2eSzrSMBHaKW2C7xQLFpZTk+706DB3vV8X04fucOdTGbBfsdQWkTiWFxNHE
as0bcrvjJK8BBKgBfi8nCbIQgk5baoBeMqhgVXd3ZmME2bJV64Ee3ayOcfO9dJiW
6GFeCFEPDdnhn0s8BA9sQgkWRzouQvsI2K+NEzF+xBF6YxTGsgEFh/LxI9ZJ1izX
UuseklVPLd9vfBoIg2QSB064yf7G/uwMuE2/TDG9CydTrNtr/KIG06Rk2SAy/O/J
U9xpbd8PF6tmbdMdtSgA4LmZYIq1loTc8gGo2C4mmz9ykJcvgpGVzKxM0yR/XByO
XQPYyCqvQDl+n5lIzz6AY+IT1IFd0ZhNweHzkpKbjc3TgLqZkIcRXBN+xE2T1N64
kwFWMp6uM6sdv4pycWMcef+Voi3stx8px71MOC5zYEwQnWcE88wS
=xSl+
-----END PGP PUBLIC KEY BLOCK-----

Program rules

This program follows Bugcrowd’s standard disclosure terms.