At Comcast, we’re committed to working alongside the security research community, and know we’re at our best when we continually enhance this process. That's why we’ve formally launched Xfinity Home’s bug bounty program, as a way to reward contributions from security researchers who help make Xfinity Home more secure.
Xfinity Home is a complete home security system, with 24/7 professional monitoring, and battery/cellular backup. Our customers enjoy peace of mind through live video monitoring with our Xfinity cameras, and motion activated recording that detects people, vehicles, and pets. The door/window sensors allow you to monitor your home and receive real-time alerts when doors are open or closed.
Please note, this program is specifically scoped for Xfinity Home. If you believe you've found a security issue related to any other product or service please report through our vulnerability reporting page.
For the initial prioritization/rating of findings, this program will use the Bugcrowd Vulnerability Rating Taxonomy. However, in some cases, a vulnerability priority will be modified due to its attack complexity, requirements, likelihood, or impact of successful exploitation.
All submissions are reviewed to determine an accurate priority and any change will result in a detailed explanation provided to the researcher with the opportunity for a follow up.
Rewards are determined through an internal impact assessment, researcher interaction and the overall quality, content, and accuracy of the report.
Comcast may reward eligible P1 submissions up to $10,000 for findings related to:
Remote unauthorized access (via publicly accessible internet, not on the same LAN/wireless network) of:
Abuse/Theft of Service
Last updated 18 Jul 2019 14:03:49 UTC
Technical severity | Reward range
p1 Critical | $1,500 - $3,500
p2 Severe | $750 - $1,200
p3 Moderate | Up to: $300
p4 Low | Up to: $150
P5 submissions do not receive any rewards for this program.
Target name | Type
Xfinity Home Starter Kit (see below) | Hardware
Home.xfinity.com (see below) | Website
Xfinity Home iOS mobile app | iOS
Xfinity Home Android mobile app | Android
Xfinity Home cameras | IoT
Target name | Type
3rd Party Devices (known as Works with Xfinity) | IoT
login.xfinity.com | Website
All submissions must have demonstrable impact on the Xfinity Home product. To be able to test comprehensively, researchers must be a current Xfinity Home subscriber. Without an active Xfinity account, the available attack surface is highly limited - however, we encourage researchers to test with what is available to them.
All Comcast/Xfinity endpoints called by Xfinity Home applications are in- scope.
Xfinity Home Web/Mobile | Description
xhomeapi-.codebig2.net | API Gateway
xhomeapi-.cloud.comcast.net | API for fetching device information
-cvr-aws-.sys.comcast.net | Endpoints for CVR data
*signalservice.comcast.net | Endpoint for live video
oauth.xfinity.com | User Authentication
api.sc.xfinity.com | API for retrieving user information
Wireless motion sensors
Xfinity Home Cameras
Any domain/property of Comcast not listed in the targets section is out of scope for this bounty program. This includes any/all subdomains not listed above. If you believe you've identified a Comcast vulnerability on a system outside the scope of this program, please report it through our vulnerability reporting page.
Researchers must have explicit permission from the account owner to perform any form of security testing.
Researchers may not be a current or former employee, contractor or immediate family member.
Note: This program adheres to Bugcrowd's coordinated disclosure terms. We ask that you provide us a copy of your disclosure report prior to publication and do not publicly report findings until they been fully remediated.
This program follows Bugcrowd’s standard disclosure terms.
This program does not offer financial or point-based rewards for P5 — Informational findings. Learn more about Bugcrowd’s VRT.
|Scope Type||Scope Name|
Xfinity Home Android mobile app
Xfinity Home Starter Kit (see below)
Xfinity Home iOS mobile app
Xfinity Home cameras
Home.xfinity.com (see below)
|Scope Type||Scope Name|
3rd Party Devices (known as Works with Xfinity)
This program leverage 7 scopes, in 5 scopes categories.