Sunrun Vulnerability Disclosure Program
Sunrun is committed to maintaining the highest standards of security across our platforms and services. We welcome contributions from the security research community and recognize the vital role they play in protecting our customers. This Vulnerability Disclosure Program (VDP) outlines the rules, scope, process, and commitments that define how Sunrun engages with researchers.
Scope of the Program
The following assets are considered in-scope for this program:
.ai.sunrun.com (all subdomains are considered in-scope, including portal.ai.sunrun.com,
sunsim.ai.sunrun.com, pricing-engine.ai.sunrun.com, etc.)Public-facing Sunrun web and mobile applications
APIs and microservices directly supporting customer-facing applications
Sunrun ONE (Web + Mobile)
Out of Scope:
Denial of Service (DoS) attacks or stress tests
Physical security testing
Social engineering or phishing targeting Sunrun employees
Vulnerabilities that require root/jailbreak on customer devices
Rules of Engagement
Do not exploit vulnerabilities beyond what is necessary to demonstrate proof of concept.
Do not exfiltrate, manipulate, or delete any data.
Avoid privacy violations, destruction of data, or interruption of services.
Provide detailed steps for reproduction, along with affected URLs/endpoints.
Respect customer privacy and comply with all legal restrictions.
Responsible Disclosure Timeline
We follow industry best practices (aligned with Apple, Google, and other leading companies) in handling vulnerability disclosures:
Researchers must not publicly disclose details of a vulnerability until Sunrun has remediated the issue and communicated resolution.
Sunrun commits to acknowledging receipt of a submission within 3 business days.
Sunrun commits to providing updates on the status within 14 business days.
Resolution timelines vary depending on severity, but high/critical issues are prioritized with accelerated response.
Once a fix is deployed, Sunrun will publish an advisory if the issue impacted customers.
Submission Process
Researchers can submit vulnerabilities via:
Email: SunRun-VDP@submit.bugcrowd.com
Bugcrowd submission portal: https://bugcrowd.com/ engagements/sunrun-vdp-pro
Submissions should include:
Title and description of the issue
Steps to reproduce (PoC)
Affected systems/URLs
Screenshots or logs when applicable
Recognition & Incentives
Sunrun operates a VDP Pro with Bugcrowd. While this program does not provide direct monetary rewards, researchers gain Bugcrowd platform points, which increase visibility and eligibility for private paid programs. Additionally, Sunrun will acknowledge valid submissions and may include top contributors in public recognition where appropriate.
Recognition & Incentives
Sunrun operates a VDP Pro with Bugcrowd. While this program does not provide direct monetary rewards, researchers gain Bugcrowd platform points, which increase visibility and eligibility for private paid programs. Additionally, Sunrun will acknowledge valid submissions and may include top contributors in public recognition where appropriate.
Our Commitments to Researchers
We will not pursue legal action against researchers who act in good faith and comply with this policy.
We will acknowledge submissions promptly and communicate throughout the lifecycle of the report.
We will prioritize remediation of valid findings according to severity.
We will provide feedback on invalid or duplicate submissions.
Monitoring & Reporting
Sunrun Security continuously monitors submissions, triage progress, and resolution timelines. We track KPIs such as vulnerability coverage, time-to-triage, and time-to-fix. Monthly reports are reviewed internally and with Bugcrowd to ensure continuous improvement.