Vulnerability Reporting Policy

Hyundai Motor Europe GmbH and its affiliated companies in Europe (“Hyundai Motor Europe”) appreciate the efforts of security researchers and welcomes any information about vulnerabilities that enables Hyundai Motor Europe to enhance the security of our products and/or services (such as our digital services, IT environment or our vehicles). We will investigate and respond to all legitimate vulnerability reports submitted according to the instructions below in a timely manner. Vulnerabilities and/or issues found on Hyundai Motor Europe products and/or services outside of Europe are out of scope of this Vulnerability Reporting Policy.

If you have any information about a vulnerability in a Hyundai Motor Europe product and/or service, please let us know by submitting a report in accordance with this policy. We kindly request that you do not publicly disclose any vulnerabilities found so that we have the opportunity to analyse the reported vulnerability and, if necessary, define appropriate measures.

By submitting a report under this program, you agree to our terms as set out below that form an integral part of our Vulnerability Reporting Policy:

  • Conduct your testing, research and reporting activities in accordance to applicable laws, regulations and other statutory provisions,
  • Hyundai Motor Europe will not compensate for any damage caused by responsible disclosure,
  • Do not engage in testing or research that may harm or put at risk Hyundai Motor Europe or its affiliates Hyundai, its employees, its customers, passengers in Hyundai vehicles, or other third-party individuals or entities including Hyundai dealerships and their employees,
  • Do not disrupt, compromise, or damage any vehicle or data, except those used with the owner's consent for the responsible sharing,
  • Avoid to access or disclose any personal data, in particular that of Hyundai customers, passengers of Hyundai vehicles, employees or other third party-individuals,
  • Do not compromise or disclose confidential or proprietary data belonging to Hyundai Motor Europe or any of its affiliates, employees, its customers, passengers in Hyundai vehicles, or other third-party individuals or entities, including Hyundai authorized dealerships and their employees,
  • Do not test the physical security of any Hyundai Motor Europe property or facility, or the properties or facilities of Hyundai Motor Europe affiliates or related third parties,
  • Do not perform any kind of denial-of-service testing or over-exhaust an IT function,
  • Do not perform social engineering, spam, or phishing/spear phishing attacks,
  • Do not participate or submit vulnerability reports if you are employed by Hyundai Motor Europe, or its affiliate company, or a Hyundai Motor Europe supplier, or are acting on behalf of someone employed by Hyundai Motor Europe. If you are a member of one of these entities, please report the issue to your management, who is then to report to Hyundai Motor Europe, directly, and
  • Please provide contact information for further queries.

In submitting vulnerability reports, please note that although Hyundai Motor Europe sincerely values vulnerability reports, we do not provide monetary compensation (“bounties”) or non-monetary remuneration in exchange for submitted reports. This program is only meant to facilitate the responsible reporting and resolution of cybersecurity vulnerabilities.

Items Not Considered Vulnerabilities
Hyundai Motor Europe does not consider the following items to be valid vulnerabilities under this Vulnerability Reporting Policy:

  • Issues related to products or services outside of Europe
  • Reports stemming from physical security testing of Hyundai Motor Europe facilities or properties
  • Denial-of-service testing or actions causing an IT function overload
  • Vulnerabilities arising from misconfigured systems that are not under Hyundai Motor Europe’s control
  • Other issues that do not pertain to cybersecurity vulnerabilities
  • Reports from automated tools or scans.
  • Brute-force attack
  • Social engineering, Phishing attacks
  • Open redirects/URL Forwarding
  • Click-jacking attacks, URL Forwarding
  • Self-exploitation (e.g., Self-XSS, Cookie reuse)
  • Speculative reports on theoretical damage without evidence or substantive information indicating exploitability.
  • Invalid or missing SPF (Sender Policy Framework) records
  • Physical destruction of lock / Anti-theft devices
  • Use of valid diagnostic functions
  • Relay attack, Roll-jam attacks

Please ensure your reports focus on cybersecurity vulnerabilities related to Hyundai products and services as defined within the scope of this policy. If issues reported involve a third-party library, external project, or another vendor, we will fulfill our responsibility by forwarding the relevant details to the appropriate party without further discussion with the researcher. We will make every effort to coordinate and maintain clear communication with researchers throughout this process.

When submitting reports, we expect that you will:

Describe the alleged vulnerability, including

  • The time when the vulnerability was discovered,
  • The prerequisites and general conditions that must be fulfilled in order to be able to exploit the vulnerability,
  • The set up configuration and modification of the Hyundai product and/or services, and
  • Where possible, include proof-of-concept code to facilitate our analysis and triage of your report.

Describe the methods you employed to identify the alleged vulnerability and any known or possible remediation.

Please allow us to manage the vulnerability in a coordinated manner, in particular by refraining from disclosing vulnerability details to third parties before the end of a mutually agreed timeframe. Before submitting a vulnerability report, please read our principles above. If you identify an issue that you believe could be a cybersecurity vulnerability in any Hyundai Motor Europe product and/or service, please contact us at vulnerability@hyundai-europe.com by encrypting your message using Hyundai Motor Europe’s public PGP key.

We will be sure to respond promptly to your report. By submitting a report, you agree that we may use the information in your report in whatever ways we see fit to enhance the cybersecurity of Hyundai products and services. This may include to share information of your vulnerability report to other entities within the Hyundai Motor group, as far as necessary.