5587 policies in database
Link to program      
2019-09-26
2020-04-23
Xfinity Home & xFi logo
Thank
Gift
HOF
Reward

Reward

Xfinity Home & xFi

Program Overview

At Comcast, we’re committed to working alongside the security research community, and know we’re at our best when we continually enhance this process. That's why we’ve launched Xfinity Home’s bug bounty and expanded the scope to include Xfinity xFi. With your help, we continue with our mission to make Xfinity products more secure.

Xfinity Home is a complete home security system, with 24/7 professional monitoring, and battery/cellular backup. Our customers enjoy peace of mind through live video monitoring with our Xfinity cameras, and motion activated recording that detects people, vehicles, and pets. The door/window sensors allow you to monitor your home and receive real-time alerts when doors are open or closed.

Xfinity xFi gives you the ultimate control of your in-home WiFi from anywhere, on any device. With xFi and an xFi enabled gateway, you can view connected devices, create profiles, pause WiFi to any device, and more. xFi Advanced Security helps keep you safe on sites people visit, prevent remote access from unknown sources, and report/block suspicious device activity with real-time app notifications.

Please note, this program is specifically scoped for Xfinity Home and Xfinity xFi. If you believe you've found a security issue related to any other product or service(or are unsure) please report through ourvulnerability disclosure program.


Ratings/Rewards

For the initial prioritization/rating of findings, this program will use the Bugcrowd Vulnerability Rating Taxonomy. However, in some cases, a vulnerability priority will be modified due to its attack complexity, requirements, likelihood, or impact of successful exploitation.

All submissions are reviewed to determine an accurate priority and any change will result in a detailed explanation provided to the researcher with the opportunity for a follow up.

Reward Guidelines

Rewards are determined through an internal impact assessment, researcher interaction and the overall quality, content, and accuracy of the report.

High impact findings

Comcast may reward eligible P1 submissions up to $10,000 for findings related to:

Xfinity Home

  1. Remote unauthorized access (via publicly accessible internet, not on the same LAN/wireless network) of:

    • Cloud storage videos
    • Live camera feeds
    • Bypassing Armed Systems
  2. Abuse/Theft of Service

Xfinity xFi

  1. Abuse/Theft of Service

  2. Unauthorized access to WiFi credentials

VRT Amendments

VRT Name | Adjusted Priority
---|---
High Impact Subdomain Takeover | P2 -> P3
Basic Subdomain Takeover | P3 -> P4

Reward range

Last updated 30 Apr 2020 17:49:19 UTC

Technical severity | Reward range
---|---
p1 Critical | $1,500 - $3,500
p2 Severe | $750 - $1,200
p3 Moderate | $300 - $600
p4 Low | Up to: $250

P5 submissions do not receive any rewards for this program.

Targets

In scope

Target name | Type
---|---
Xfinity Home Starter Kit (see below) | Hardware Testing
Home.xfinity.com (see below) | Website Testing
Xfinity Home iOS mobile app | iOS
Xfinity Home Android mobile app | Android
Xfinity Home cameras | IoT
login.xfinity.com | Website Testing
xFi iOS mobile app | iOS
xFi Android mobile app | Android
Internet.xfinity.com | Website Testing
speedtest.xfinity.com | Website Testing
oauth.xfinity.com | Website Testing
<https://business-*-prod.codebig2.net/*/v1> | API Testing
xhomeapi-*.codebig2.net | API Testing
xhomeapi-*.cloud.comcast.net | API Testing
*-cvr-aws-*.sys.comcast.net | Website Testing
*signalservice.comcast.net | Website Testing
siorc.xfinity.com | Website Testing
smartinet.xfinity.com | Website Testing
orc-xfi.com | Website Testing

Out of scope

Target name | Type
---|---
3rd Party Devices (known as Works with Xfinity) | IoT

Exclusions

The following assets are not yet eligible for bounty and should be reported through our vulnerability disclosure program.

Target Name | Type
---|---
xFi Gateways (e.g., XB3, XB6, XB7) | Hardware
xFi Pods | Hardware

Target Info

All submissions must have demonstrable impact on the Xfinity Home or xFi. To be able to test comprehensively, researchers must be a current Xfinity subscriber. Without an active Xfinity account, the available attack surface is highly limited - however, we encourage researchers to test with what is available to them.

Endpoint Details

All Comcast/Xfinity endpoints called by Xfinity Home/xFi applications are in-scope.

Xfinity Home | Description
---|---
xhomeapi-.codebig2.net | API Gateway
xhomeapi-
.cloud.comcast.net | API for fetching device information
-cvr-aws-.sys.comcast.net | Endpoints for CVR data
*signalservice.comcast.net | Endpoint for live video
oauth.xfinity.com | User Authentication
api.sc.xfinity.com | API for retrieving user information
Xfinity xFi | Description
---|---
internet.xfinity.com | Website for xFi functionality
siorc.xfinity.com | Endpoint for mobile app orchestration
speedtest.xfinity.com | Used to determine Internet speed connection
orc-xfi.com | xFi orchestration layer
smartinet.xfinity.com | xFi orchestration layer
Hardware/IoT
---
Touchscreen Controller
Windows/Door Sensors
Wireless keypad
Wireless motion sensors
Xfinity Home Cameras

Out of Scope Details

Any domain/property of Comcast not listed in the targets section is out of scope for this bounty program. This includes any/all subdomains not listed above. If you believe you've identified a Comcast vulnerability on a system outside the scope of this program, please report it through our vulnerability disclosure program.

  • Email spoofing issues (e.g., SPF, DKIM, DMARC)
  • Automated scan reports without valid proof of concept
  • Physical tampering of the device (I/O devices such as USB, SIM, and SD card slots are in scope)
  • 3rd party integration
  • Reports requiring a rooted/jailbroken device
  • Duplicate/known submissions
  • Load Testing (DoS, DDoS, wireless jamming, etc.)
  • Social engineering attacks
  • Theoretical security issues
  • Protocol-specific flaws

Additionally, as an Internet Service Provider, technologies hosted by residential or business customers are considered out-of-scope. These can typically be identified by the FQDN format below.

10-0-0-1-static.hfc.comcastbusiness.net
c-10-0-0-1.hsd1.pa.comcast.net

Rules

Researchers must have explicit permission from the account owner to perform any form of security testing.

Researchers may not be a current or former employee, contractor or immediate family member.

Note: This program adheres to Bugcrowd's coordinated disclosure terms. We ask that you provide us a copy of your disclosure report prior to publication and do not publicly report findings until they been fully remediated.

Program rules

This program follows Bugcrowd’s standard disclosure terms.

This program does not offer financial or point-based rewards for P5 — Informational findings. Learn more about Bugcrowd’s VRT.

In Scope

Scope Type Scope Name
android_application

Xfinity Home Android mobile app

android_application

xFi Android mobile app

ios_application

Xfinity Home iOS mobile app

ios_application

xFi iOS mobile app

undefined

Xfinity Home cameras

undefined

Xfinity Home Starter Kit (see below)

web_application

Home.xfinity.com (see below)

web_application

Internet.xfinity.com

web_application

speedtest.xfinity.com

web_application

oauth.xfinity.com

web_application

-cvr-aws-.sys.comcast.net

web_application

*signalservice.comcast.net

web_application

siorc.xfinity.com

web_application

smartinet.xfinity.com

web_application

orc-xfi.com

web_application

login.xfinity.com

web_application

https://business--prod.codebig2.net//v1

web_application

xhomeapi-*.codebig2.net

web_application

xhomeapi-*.cloud.comcast.net

Out of Scope

Scope Type Scope Name
undefined

3rd Party Devices (known as Works with Xfinity)


This program leverage 20 scopes, in 4 scopes categories.

FireBounty © 2015-2020

Legal notices