Sunrun Vulnerability Disclosure Program
We’re excited to share that Sunrun is launching a Vulnerability Disclosure Program (VDP) in collaboration with Bugcrowd! This is part of our ongoing efforts to strengthen our security posture and work more closely with the security community.
Researchers and ethical hackers can now report potential vulnerabilities in a responsible way and help us keep our systems secure. As a token of appreciation, we’ll be rewarding valid submissions with Sunrun-branded merchandise — a small thank-you that highlights your contribution to creating a planet run by the sun.
More details will be available soon on our main domain — stay tuned!
Guidelines for Vulnerability Disclosure
Reporting: If you discover a vulnerability, please report it promptly to SunRun-VDP@submit.bugcrowd.com.
Provide Details: Include a clear description of the vulnerability, steps to reproduce it, and any supporting documentation or proof of concept.
Confidentiality: Do not disclose vulnerability details publicly until we have had sufficient time to investigate and remediate the issue.
Legal Conduct: Avoid any activity that could harm Sunrun, our customers, or third parties.
Exclusions
The following issues are considered out of scope:
Clickjacking on pages with no sensitive actions
Cross-Site Request Forgery (CSRF) on unauthenticated forms
Attacks requiring MITM or physical access to a user’s device
Previously known vulnerable libraries without a working proof of concept
Any activity that leads to service disruption (DoS attacks)
Content spoofing without an exploit vector
Rate limiting or brute force attacks on non-authentication endpoints
Vulnerabilities affecting outdated or unpatched browsers
Software version disclosure or descriptive error messages
Open redirects unless a security impact is demonstrated
Acknowledgment
Sunrun values the contributions of security researchers who report vulnerabilities responsibly. While we do not offer a bug bounty at this time, we recognize the efforts of researchers in helping to secure our platform.
Policy Updates
Sunrun reserves the right to modify this policy at any time. Please check this page periodically for updates.
Thank you for helping keep Sunrun and our customers secure!