Comcast provides Xfinity Internet, TV, wireless, home automation, and more to tens of millions of residential customers, in addition to Comcast Business services to enterprise and small business customers. With so many devices and services in homes and businesses, it has never been more important to ensure the security of those products while striving to deliver an experience that is simple, elegant and powerful. With this in mind, we remain committed to working with security researchers and alongside the security community, and will maintain trust, respect, and transparency that aligns with our commitment to security and privacy.
For the initial prioritization/rating of findings, this program will use the Bugcrowd Vulnerability Rating Taxonomy. However, it is important to note that in some cases a vulnerability priority will be modified due to its likelihood or impact. In any instance where an issue is downgraded, a full, detailed explanation will be provided to the researcher - along with the opportunity to appeal, and make a case for a higher priority.
Valid submissions that fall in the following categories are eligible for rewards up to $1,250:
- File Inclusion
- Command Injection
- SQL Injection
In addition to the reward, we will invite you to a current or future private program.
Note, bonuses are subject to change. If you have any questions, please reach out to firstname.lastname@example.org.
Our Vulnerability Disclosure Program aims to encompass all the technologies, products, and services that Comcast Xfinity and Comcast Business provides.
All endpoints called by these services and applications are in-scope. If you are unsure if something is owned or maintained by us, please let us know and we will make a best effort to determine if we can assist. If you are just getting started, you might consider the following:
|*xfinity.com||Primary Xfinity domains and customer access|
|*.comcast.com||Main corporate domains|
|business.comcast.com/*||Primary Comcast Business customer domains|
|Internet||All devices, including Broadband Gateways|
|TV||Xfinity hardware and services|
|Flex||Xfinity hardware and services|
|Mobile||Services and apps|
|Voice||Hardware and service|
|Mobile Apps||iOS and Android|
|Xfinity Home||Please refer to our Xfinity Home & xFi Bug Bounty Program|
|Xfinity xFi||Please refer to our Xfinity Home & xFi Bug Bounty Program|
We do not offer accounts or credentials for testing purposes.
As an Internet Service Provider, technologies hosted by residential or business customers are considered out-of-scope. These can typically be identified by the FQDN format below.
Please Note: You can still email us at email@example.com and we will route it to the appropriate customer security team, but we are unable to accept them as part of this program.
Additionally, any vulnerabilities regarding these brands and entities are also out-of-scope:
- Email spoofing issues (e.g., SPF, DKIM, DMARC)
- Automated scan reports or search engine results (ie, Shodan) without valid proof of concept
- Physical tampering of our hardware devices
- Load Testing (DoS, DDoS, wireless jamming, etc.)
Do not access, impact, destroy or otherwise negatively impact any residential or business customers, or customer data in anyway
Do not test against any type of customer account without explicit permission
- For customers who are experiencing abuse-related issues such as phishing, spam and identity theft, the Customer Security Assurance organization has been established to respond to your issues. Their contact information can be found at our Report Abuse page.
If you believe a vulnerability is particularly sensitive, you may use our PGP key to encrypt your report.
-----BEGIN PGP PUBLIC KEY BLOCK----- Version: GnuPG v2 mQINBFjVUb4BEADX4dYZPQ7dUhOzvzqh8gcA78oWOC8C/h4GOmj0ItC+iCbQ9SmH pVewI8Phnr0SQCBH5SfGVSZDN21jiiGHmKi7wLk86rg585nAvMFB3Yq2xlPVTsF7 oburm7/5nE36IJ5WaKk7wOH+Jt7D3eDAXoYodiHeH5iJlO8qBCLYpya6MLeNDd6d HTrSM+hd77pdN3/0s6ebN6fRsaem8md8tt6s/xZa67G+8Y1giduKy0VKFA0D+mD1 kEYrMxdAik55blacL6Jt2BliUfB503xw0SMVwgWA5ZU3ZJJSGAza32PpTqo2vYCn 97we287JEwFx5rN/WAILpo9AU0Ck+Lg/D1YAutjrV5QAeMQa/haFlu5wiJuSasb+ dtiOcP/7SjHCZo+UjqNr1kFx3yUJqYSSExmOJMNHo49Q9Nhqm8MZWRJLdcB3JDo1 xNhfQYq9T/PvbEy5A/jBX/SCYA+IqRQ6yZ6xdL3Hl6tqPoU6xJu6PIq39ADExBCi 9HQcmFIye+C2GxBjgS5UAPuO6rbxk69N9eNulWLrUQhMMhFGob29OjC7RvyOLeD7 rUfjJgPM+QvCD6LEYPuu2f2iQK4IbCiQMYSANPdOaoJ3upttMt0uUydPBJCbWiN6 Cg1ujN4Q52bKNhuArD0QYyBlEOiD/qhBKKBlw/5OC/TYKPaYWyqpi5PXvQARAQAB tEdDb21jYXN0IFNlY3VyaXR5IERlZmVjdCBSZXBvcnRpbmcgPHNlY3VyaXR5ZGVm ZWN0cmVwb3J0aW5nQGNvbWNhc3QuY29tPokCOQQTAQgAIwUCWNVRvgIbAwcLCQgH AwIBBhUIAgkKCwQWAgMBAh4BAheAAAoJEPZc70/KMxD7T48P/RKfFreBFhTsb1qT G4S2uxXKEQsuPEl+jY9D1HThPqMDNHj/IiVB5Y+MIbSRtth3dwYQB4U4do+/aIaz nIFwyrZ3/z0+81j96jTr0gBfP+wrzrwEly64Pp2JYJnC6ktENggE0hNSVZTQnnY1 uvRP/tuSmctJbMCzNPLiFfd09mTyky6FlwYNWUGv9bgs6wDI853ocVVTWwmY4s4i bWdNHmBWKyrt5TB22bgJAqtmN4DBYgjM3eTT/QSjLk1ACircsOoGFOJc1/mvT11/ wgofyxOERKabw5F4A+AIU1P93Sui7lmlpo4+prcrb5pn/lvAjTkuF0B2GOaz0MoJ OhkunTZQNFaXKF5FACz0+cqitekyi3WH8aao+jYRg2XGmjJKDqrlr+ZS+mXQdCV3 B9flNGCe2PS7dvkU3Rwo3laiumKz8Ub9UOJ2eJLPVGUWM9VGgyGF2Dg03CK6c/ex NxITPs1IHJ4rwq1SdwTvsQCIt/D752xMw7oOd96hTvulYYs3OGTcj49+AehUm47c aZ3LHDZ1zSa0hNfAQRfhHcZ8Bdwt51KNPzcOGeh5N0jULXTx90f0fXWpRZ3nMp2c 4NOXQWehlnSMvi8QvFag2RIyK7ue1rs003iibjav5+AT5f5HJ5sMklSe1C4xQGID tzN3nNOCpEftlZoimNDsxTFgc8UHuQINBFjVUb4BEADTuW1kAieOxRuWhs5l864h j7kVt5Rpf8yFOD+26s8oi8JZNq9UX8EoMY+0OK/nRa/KLHDNEFQ5DuwIRuV5kNGB 3aiS/H4bfOThKdNZywFvMdmOcEaUPOjVONbt3uQLBkTfAvu+vkaEhvm5UJksLJkz TxTK0UiRL13EeSgCSWZSYj5wehh2NJ0zTRgQBL7FGHjV9Yh6xkHDPNPkrN2RPPNo 8DA6c4JQXlUN9hdvUMdtzo+ZzPSaZPYB45DlNboXUaIacl4sGGSnYUiuuHn43KEi sndw4r1T7WG1l5QSPxMmZc5nrwxZFTx1UCBLoCuG2ByFQf350PEcw0p9JLtpdrYk mI54MVXY7Ge2SVJQ0dSKRe9XWASUS83LYzv6Sya1ptA1M/BjadW8or+cQ2bL79MB RYS2evvfxcz/IlnQmScEkBB6QpwAgl1d9ELijo9qG6SYgSqPpL36+R8HTMulLml0 JOqFoVw4+Uye9u6dzh6bDg9wz1oxKVUDyYvA2vJdFlZUEFsi3f6BR/wCn/q55NUz /drgQd/ycsXTMEqWGoxkJF3kBBw25+5JX7PxkrOTZxvWbuHN+bG48EAbwSELDkGD k5Un5EzQh5lWSteSIiWAiVZKbXZum7zZIxEa5tXJNrMIUqEOJa89upUBtH39JEYh KTqlnLEkc7tMdzMhoxTnOwARAQABiQIfBBgBCAAJBQJY1VG+AhsMAAoJEPZc70/K MxD70awP/iVQmM2KWXxjb+ZUyP7WPuWP2E3wX+HSbcK9bh84Zlois6wA0Fp2g9WU y7F/to7bZKFp1XamZcf7QZEs1Ee8YSv1NNKTa983UtBebnhFguk9qnv9St+VaE6k Hnsp3NDaSN2UGXqLmJhA/THaoI99nuhfHumnX+aQY8Yrnvs/V1I2IaJ6t8MWNEuq kseVKYmbWh7PcIEIxwryhwFh36cj4RgVhidjbrbSk1a5iDpcl77jV6JsUcuLVmjN rJDxX2eSzrSMBHaKW2C7xQLFpZTk+706DB3vV8X04fucOdTGbBfsdQWkTiWFxNHE as0bcrvjJK8BBKgBfi8nCbIQgk5baoBeMqhgVXd3ZmME2bJV64Ee3ayOcfO9dJiW 6GFeCFEPDdnhn0s8BA9sQgkWRzouQvsI2K+NEzF+xBF6YxTGsgEFh/LxI9ZJ1izX UuseklVPLd9vfBoIg2QSB064yf7G/uwMuE2/TDG9CydTrNtr/KIG06Rk2SAy/O/J U9xpbd8PF6tmbdMdtSgA4LmZYIq1loTc8gGo2C4mmz9ykJcvgpGVzKxM0yR/XByO XQPYyCqvQDl+n5lIzz6AY+IT1IFd0ZhNweHzkpKbjc3TgLqZkIcRXBN+xE2T1N64 kwFWMp6uM6sdv4pycWMcef+Voi3stx8px71MOC5zYEwQnWcE88wS =xSl+ -----END PGP PUBLIC KEY BLOCK-----