Sunrun Vulnerability Disclosure Program
We’re excited to share that Sunrun is launching a Vulnerability Disclosure Program (VDP) in collaboration with Bugcrowd! This is part of our ongoing efforts to strengthen our security posture and work more closely with the security community.
Researchers and ethical hackers can now report potential vulnerabilities in a responsible way and help us keep our systems secure. As a token of appreciation, we’ll be rewarding valid submissions with Sunrun-branded merchandise — a small thank-you that highlights your contribution to creating a planet run by the sun.
Guidelines for Vulnerability Disclosure
Reporting: If you discover a vulnerability, please report it promptly to SunRun-VDP@submit.bugcrowd.com or use the submission form below.
Provide Details: Include a clear description of the vulnerability, steps to reproduce it, and any supporting documentation or proof of concept. Screenshots, videos, HTTP request samples, headers, timestamps, and device/browser info are all helpful for reproduction.
Confidentiality: Do not disclose vulnerability details publicly until we have had sufficient time to investigate and remediate the issue.
Legal Conduct: Avoid any activity that could harm Sunrun, our customers, or third parties.
Researcher Conduct
Do not perform social engineering, phishing, or physical intrusion.
Avoid testing that impacts third-party services.
Do not access, alter, or destroy data that doesn’t belong to you.
Do not perform denial-of-service (DoS/DDoS) or spam.
Exclusions
The following issues are considered out of scope:
Clickjacking on pages with no sensitive actions
Cross-Site Request Forgery (CSRF) on unauthenticated forms
Attacks requiring MITM or physical access to a user’s device
Previously known vulnerable libraries without a working proof of concept
Any activity that leads to service disruption (DoS attacks)
Content spoofing without an exploit vector
Rate limiting or brute force attacks on non-authentication endpoints
Vulnerabilities affecting outdated or unpatched browsers
Software version disclosure or descriptive error messages
Open redirects unless a security impact is demonstrated
Sunrun Commitments
Sunrun commits to:
Reviewing and triaging valid submissions via Bugcrowd within service-level objectives.
Responding to critical (P1) issues within one business day of triage.
Not taking legal action against good-faith researchers who follow our guidelines.
Maintaining confidentiality and transparency with the researcher throughout the process.
Bug Crowd Submission Form
To submit a a vulnerability, please use this form:
https://bugcrowd.com/ engagements/sunrun-vdp-pro
Acknowledgment
Sunrun values the contributions of security researchers who report vulnerabilities responsibly. While we do not offer a bug bounty at this time, we recognize the efforts of researchers in helping to secure our platform.
Policy Updates
Sunrun reserves the right to modify this policy at any time. Please check this page periodically for updates.
Thank you for helping keep Sunrun and our customers secure!