At Comcast, we’re committed to working alongside the security research community, and know we’re at our best when we continually enhance this process. That's why we’ve launched Xfinity Home’s bug bounty and expanded the scope to include Xfinity xFi. With your help, we continue with our mission to make Xfinity products more secure.
Xfinity Home is a complete home security system, with 24/7 professional monitoring, and battery/cellular backup. Our customers enjoy peace of mind through live video monitoring with our Xfinity cameras, and motion activated recording that detects people, vehicles, and pets. The door/window sensors allow you to monitor your home and receive real-time alerts when doors are open or closed.
Xfinity xFi gives you the ultimate control of your in-home WiFi from anywhere, on any device. With xFi and an xFi enabled gateway, you can view connected devices, create profiles, pause WiFi to any device, and more. xFi Advanced Security helps keep you safe on sites people visit, prevent remote access from unknown sources, and report/block suspicious device activity with real-time app notifications.
Please note, this program is specifically scoped for Xfinity Home and Xfinity xFi. If you believe you've found a security issue related to any other product or service(or are unsure) please report through our vulnerability disclosure program.
For the initial prioritization/rating of findings, this program will use the Bugcrowd Vulnerability Rating Taxonomy. However, in some cases, a vulnerability priority will be modified due to its attack complexity, requirements, likelihood, or impact of successful exploitation.
All submissions are reviewed to determine an accurate priority and any change will result in a detailed explanation provided to the researcher with the opportunity for a follow up.
Rewards are determined through an internal impact assessment, researcher interaction and the overall quality, content, and accuracy of the report.
High impact findings
Comcast may reward eligible P1 submissions up to $10,000 for findings related to:
Remote unauthorized access (via publicly accessible internet, not on the same LAN/wireless network) of:
- Cloud storage videos
- Live camera feeds
Bypassing Armed Systems
Abuse/Theft of Service
Abuse/Theft of Service
Unauthorized access to WiFi credentials
|VRT Name||Adjusted Priority|
|High Impact Subdomain Takeover||P2 -> P3|
|Basic Subdomain Takeover||P3 -> P4|
Scope and rewards
This program follows Bugcrowd’s standard disclosure terms.
For any testing issues (such as broken credentials, inaccessible application, or Bugcrowd Ninja email problems), please email email@example.com. We will address your issue as soon as possible.
This program does not offer financial or point-based rewards for P5 — Informational findings. Learn more about Bugcrowd’s VRT.