Program Overview
Xfinity Home & xFi runs a bug bounty program on Bugcrowd with a maximum payout of $5,500. The program has 26 in-scope assets and is managed by Bugcrowd's triage team.
26
In-Scope Assets
$5,500
Max Payout
In-Scope Assets
| Asset | Type | Max Severity | Eligible |
|---|---|---|---|
| https://home.xfinity.com | WEBSITE | ||
| Internet.xfinity.com | WEBSITE | ||
| *-cvr-aws-*.sys.comcast.net | WEBSITE | ||
| *signalservice.comcast.net | WEBSITE | ||
| *.dh-commerce.com | WEBSITE | ||
| *.ssr.ccp.xcal.tv | WEBSITE | ||
| orc-xfi.com | WEBSITE | ||
| *.xfiplatform.com | WEBSITE | ||
| https://apps.apple.com/us/app/xfinity/id1178765645 | IOS | ||
| Xfinity iOS mobile app | IOS | ||
| https://play.google.com/store/apps/details?id=com.xfinity.digitalhome&hl=en_US&gl=US | ANDROID | ||
| Xfinity Android mobile app | ANDROID | ||
| xhomeapi-*.codebig2.net | API | ||
| xhomeapi-*.cloud.comcast.net | API | ||
| Xfinity Home Hardware (items listed below in brief) | HARDWARE | ||
| Xfinity Home cameras | IOT | ||
| speedtest.xfinity.com | WEBSITE | ||
| siorc.xfinity.com | API | ||
| smartinet.xfinity.com | WEBSITE | ||
| gw.api.dh.comcast.com | API | ||
| xFi Gateways (e.g., XB3, XB6, XB7) | HARDWARE | ||
| xFi Pods | HARDWARE | ||
| https://csp-prod.codebig2.net | API | ||
| csp-pci.prod.codebig2.net | API | ||
| aiq-prod.codebig2.net | API | ||
| *.xfinityhome.com | WEBSITE |
Out-of-Scope Assets
- 3rd Party Devices (known as Works with Xfinity)
- oauth.xfinity.com
- https://login.xfinity.com
- *.xerxessecure.com
- *.cimcontent.net
- *.identity.xfinity.com
- \*\business.comcast.com
- *.hfc.comcastbusiness.net
- *.hsd1.*.comcast.net
- *.pulseinsights.com
- *.wurfulcloud.com
- *.appcenter.ms
- *.kampyle.com
- *.demdex.net
- *.openx.net
- *.criteo.net
- *.webcontentassessor.com
- *.amazon-adsystem.com
- *.adobedtm.com
- *.adnxs.com
Tips for Hacking Xfinity Home & xFi
- Read the policy — Understand what's in scope, out of scope, and any specific testing restrictions before you start.
- Enumerate the attack surface — Use subdomain enumeration and directory bruteforcing to map all accessible endpoints.
- Focus on high-impact bugs — Look for SQL injection, SSRF, and IDOR vulnerabilities first.
- Test authentication flows — Check for OAuth misconfigurations and CSRF in login/signup flows.
- Write clear reports — Include steps to reproduce, impact assessment, and suggested remediation. Use Burp Suite to capture evidence.
Frequently Asked Questions
How do I start hacking Xfinity Home & xFi?
Sign up on Bugcrowd, read the program policy carefully, review the in-scope assets listed above, and start testing. Always stay within scope and follow responsible disclosure guidelines.
Does Xfinity Home & xFi pay bounties?
Yes, Xfinity Home & xFi offers monetary rewards for valid security vulnerabilities.
What types of vulnerabilities does Xfinity Home & xFi accept?
Xfinity Home & xFi accepts reports for vulnerabilities found in their 26 in-scope assets. Common accepted vulnerability types include XSS, SQL injection, SSRF, IDOR, authentication bypass, and RCE. Check the program policy for specific exclusions.