Skip to content

Sunrun Vulnerability Disclosure Program

We’re excited to share that Sunrun is launching a Vulnerability Disclosure Program (VDP) in collaboration with Bugcrowd! This is part of our ongoing efforts to strengthen our security posture and work more closely with the security community.

Researchers and ethical hackers can now report potential vulnerabilities in a responsible way and help us keep our systems secure. As a token of appreciation, we’ll be rewarding valid submissions with Sunrun-branded merchandise — a small thank-you that highlights your contribution to creating a planet run by the sun.

Guidelines for Vulnerability Disclosure

  • Reporting: If you discover a vulnerability, please report it promptly to SunRun-VDP@submit.bugcrowd.com or use the submission form below.

  • Provide Details: Include a clear description of the vulnerability, steps to reproduce it, and any supporting documentation or proof of concept. Screenshots, videos, HTTP request samples, headers, timestamps, and device/browser info are all helpful for reproduction.

  • Confidentiality: Do not disclose vulnerability details publicly until we have had sufficient time to investigate and remediate the issue.

  • Legal Conduct: Avoid any activity that could harm Sunrun, our customers, or third parties.

Researcher Conduct

  • Do not perform social engineering, phishing, or physical intrusion.

  • Avoid testing that impacts third-party services.

  • Do not access, alter, or destroy data that doesn’t belong to you.

  • Do not perform denial-of-service (DoS/DDoS) or spam.

Exclusions

The following issues are considered out of scope:

  • Clickjacking on pages with no sensitive actions

  • Cross-Site Request Forgery (CSRF) on unauthenticated forms

  • Attacks requiring MITM or physical access to a user’s device

  • Previously known vulnerable libraries without a working proof of concept

  • Any activity that leads to service disruption (DoS attacks)

  • Content spoofing without an exploit vector

  • Rate limiting or brute force attacks on non-authentication endpoints

  • Vulnerabilities affecting outdated or unpatched browsers

  • Software version disclosure or descriptive error messages

  • Open redirects unless a security impact is demonstrated

Sunrun Commitments

Sunrun commits to:

  • Reviewing and triaging valid submissions via Bugcrowd within service-level objectives.

  • Responding to critical (P1) issues within one business day of triage.

  • Not taking legal action against good-faith researchers who follow our guidelines.

  • Maintaining confidentiality and transparency with the researcher throughout the process.

Bug Crowd Submission Form

To submit a a vulnerability, please use this form:

https://bugcrowd.com/ engagements/sunrun-vdp-pro

Acknowledgment

Sunrun values the contributions of security researchers who report vulnerabilities responsibly. While we do not offer a bug bounty at this time, we recognize the efforts of researchers in helping to secure our platform.

Policy Updates

Sunrun reserves the right to modify this policy at any time. Please check this page periodically for updates.

Thank you for helping keep Sunrun and our customers secure!