Skip to content

Sunrun Vulnerability Disclosure Program

We’re excited to share that Sunrun is launching a Vulnerability Disclosure Program (VDP) in collaboration with Bugcrowd! This is part of our ongoing efforts to strengthen our security posture and work more closely with the security community.

Researchers and ethical hackers can now report potential vulnerabilities in a responsible way and help us keep our systems secure. As a token of appreciation, we’ll be rewarding valid submissions with Sunrun-branded merchandise — a small thank-you that highlights your contribution to creating a planet run by the sun.

More details will be available soon on our main domain — stay tuned!

Guidelines for Vulnerability Disclosure

  • Reporting: If you discover a vulnerability, please report it promptly to SunRun-VDP@submit.bugcrowd.com.

  • Provide Details: Include a clear description of the vulnerability, steps to reproduce it, and any supporting documentation or proof of concept.

  • Confidentiality: Do not disclose vulnerability details publicly until we have had sufficient time to investigate and remediate the issue.

  • Legal Conduct: Avoid any activity that could harm Sunrun, our customers, or third parties.

Exclusions

The following issues are considered out of scope:

  • Clickjacking on pages with no sensitive actions

  • Cross-Site Request Forgery (CSRF) on unauthenticated forms

  • Attacks requiring MITM or physical access to a user’s device

  • Previously known vulnerable libraries without a working proof of concept

  • Any activity that leads to service disruption (DoS attacks)

  • Content spoofing without an exploit vector

  • Rate limiting or brute force attacks on non-authentication endpoints

  • Vulnerabilities affecting outdated or unpatched browsers

  • Software version disclosure or descriptive error messages

  • Open redirects unless a security impact is demonstrated

Acknowledgment

Sunrun values the contributions of security researchers who report vulnerabilities responsibly. While we do not offer a bug bounty at this time, we recognize the efforts of researchers in helping to secure our platform.

Policy Updates

Sunrun reserves the right to modify this policy at any time. Please check this page periodically for updates.

Thank you for helping keep Sunrun and our customers secure!