Hey everyone 
,
We’re excited to announce that Sunrun has officially launched its Vulnerability Disclosure Program (VDP) !
We’re inviting the security community to help us identify and responsibly disclose any vulnerabilities in our applications and infrastructure. This is part of our broader effort to strengthen our security posture and build trust with our users.
Program Details:
- Submission Email:
[email protected] - Scope: Includes core customer-facing web/mobile applications and backend services
- Response SLA: Initial triage within 5 business days
- Rewards: While we haven’t launched bounty payments yet, we’re offering exclusive swag and gifts as appreciation for valuable findings
Whether you’re a seasoned researcher or just exploring bug hunting, your input is valuable. Our internal team actively reviews all submissions and prioritizes remediation based on severity and impact.
We’re also working to expand visibility through security.txt , DNS records, social media, and more. Any feedback or ideas on how to improve are more than welcome.
Thanks for helping us create a safer future — together.
—
Ebrahim Aref
Security Engineer @ Sunrun