Xfinity Home & xFi

  • Points – $3,500 per vulnerability

Program stats

  • Vulnerabilities rewarded 183
  • Validation within 3 days 75% of submissions are accepted or rejected within 3 days
  • Average payout $727.77 within the last 3 months

Latest hall of famers

Recently joined this program

Program Overview

At Comcast, we’re committed to working alongside the security research community, and know we’re at our best when we continually enhance this process. That's why we’ve launched Xfinity Home’s bug bounty and expanded the scope to include Xfinity xFi. With your help, we continue with our mission to make Xfinity products more secure.

What is Xfinity Home?

Xfinity Home is a total home security solution that includes professional monitoring and advanced technology, all installed by experts and powered by WiFi from Xfinity.

What is xFi?

Xfinity xFi lets you manage your home WiFi network and connected home. You can self-install and set up your WiFi environment in minutes, find your WiFi password, know who's online, view camera video, troubleshoot issues and manage family members' online experiences with features like Pause and Parental Controls. xFi Advanced Security helps keep you safe on sites people visit, prevent remote access from unknown sources, and report/block suspicious device activity with real-time app notifications.

Please note, this program is specifically scoped for Xfinity Home and Xfinity xFi. If you believe you've found a security issue related to any other product or service(or are unsure) please report through our vulnerability disclosure program.


For the initial prioritization/rating of findings, this program will use the Bugcrowd Vulnerability Rating Taxonomy. However, in some cases, a vulnerability priority will be modified due to its attack complexity, requirements, likelihood, or impact of successful exploitation.

All submissions are reviewed to determine an accurate priority and any change will result in a detailed explanation provided to the researcher with the opportunity for a follow up.

Rewards are determined through an internal impact assessment, researcher interaction and the overall quality, content, and accuracy of the report

Reward Guidelines

Rewards are determined through an internal impact assessment, researcher interaction and the overall quality, content, and accuracy of the report.

High impact findings

Comcast may reward eligible P1 submissions up to $10,000 for findings related to:

Xfinity Home

  1. Remote unauthorized access (via publicly accessible internet, not on the same LAN/wireless network) of:

    • Cloud storage videos
    • Live camera feeds
  2. Bypassing Armed Systems

  3. Abuse/Theft of Service

Xfinity xFi

  1. Abuse/Theft of Service

  2. Unauthorized access to WiFi credentials

  3. Unauthorized access to Profile’s Active Time

  4. Unauthorized access to Advanced Security settings or alerts

VRT Amendments

VRT Name Adjusted Priority
High Impact Subdomain Takeover P2 -> P3
Basic Subdomain Takeover P3 -> P4

We welcome reports of XSS arising from Swagger-UI but regret to inform you that they do not qualify for a bounty. Such instances will be categorized as P5 Informational.

Scope and rewards

Program rules

This program follows Bugcrowd’s standard disclosure terms.

For any testing issues (such as broken credentials, inaccessible application, or Bugcrowd Ninja email problems), please submit through the Bugcrowd Support Portal. We will address your issue as soon as possible.

This program does not offer financial or point-based rewards for P5 — Informational findings. Learn more about Bugcrowd’s VRT.