Sunrun is committed to maintaining the highest standards of security across our platforms and services. We welcome contributions from the security research community and recognize the vital role they play in protecting our customers. This Vulnerability Disclosure Program (VDP) outlines the rules, scope, process, and commitments that define how Sunrun engages with researchers.

Scope of the Program

The following assets are considered in-scope for this program:

• .ai.sunrun.com (all subdomains are considered in-scope, including portal.ai.sunrun.com,
  sunsim.ai.sunrun.com, pricing-engine.ai.sunrun.com, etc.)

• Public-facing Sunrun web and mobile applications

• APIs and microservices directly supporting customer-facing applications

• Sunrun ONE (Web + Mobile)

Out of Scope:

• Denial of Service (DoS) attacks or stress tests

• Physical security testing

• Social engineering or phishing targeting Sunrun employees

• Vulnerabilities that require root/jailbreak on customer devices

Rules of Engagement

• Do not exploit vulnerabilities beyond what is necessary to demonstrate proof of concept.

• Do not exfiltrate, manipulate, or delete any data.

• Avoid privacy violations, destruction of data, or interruption of services.

• Provide detailed steps for reproduction, along with affected URLs/endpoints.

• Respect customer privacy and comply with all legal restrictions.

Responsible Disclosure Timeline

We follow industry best practices (aligned with Apple, Google, and other leading companies) in handling vulnerability disclosures:

• Researchers must not publicly disclose details of a vulnerability until Sunrun has remediated the issue and communicated resolution.

• Sunrun commits to acknowledging receipt of a submission within 3 business days.

• Sunrun commits to providing updates on the status within 14 business days.

• Resolution timelines vary depending on severity, but high/critical issues are prioritized with accelerated response.

• Once a fix is deployed, Sunrun will publish an advisory if the issue impacted customers.

Submission Process

Researchers can submit vulnerabilities via:

• Email: SunRun-VDP@submit.bugcrowd.com

• Bugcrowd submission portal: https://bugcrowd.com/ engagements/sunrun-vdp-pro

Submissions should include:

• Title and description of the issue

• Steps to reproduce (PoC)

• Affected systems/URLs

• Screenshots or logs when applicable

Recognition & Incentives

Sunrun operates a VDP Pro with Bugcrowd. While this program does not provide direct monetary rewards, researchers gain Bugcrowd platform points, which increase visibility and eligibility for private paid programs. Additionally, Sunrun will acknowledge valid submissions and may include top contributors in public recognition where appropriate.

Recognition & Incentives

Sunrun operates a VDP Pro with Bugcrowd. While this program does not provide direct monetary rewards, researchers gain Bugcrowd platform points, which increase visibility and eligibility for private paid programs. Additionally, Sunrun will acknowledge valid submissions and may include top contributors in public recognition where appropriate.

Our Commitments to Researchers

• We will not pursue legal action against researchers who act in good faith and comply with this policy.

• We will acknowledge submissions promptly and communicate throughout the lifecycle of the report.

• We will prioritize remediation of valid findings according to severity.

• We will provide feedback on invalid or duplicate submissions.

Monitoring & Reporting

Sunrun Security continuously monitors submissions, triage progress, and resolution timelines. We track KPIs such as vulnerability coverage, time-to-triage, and time-to-fix. Monthly reports are reviewed internally and with Bugcrowd to ensure continuous improvement.