Vulnerability Reporting Policy

The Hyundai Motor Europe GmbH and its affiliated companies in Europe (“Hyundai Motor Europe”) appreciate the efforts of security researchers and welcomes any information about vulnerabilities that enables Hyundai Motor Europe to enhance the security of our products and/or services (such as our digital services, IT environment or our vehicles). We will investigate and respond to all legitimate vulnerability reports submitted according to the instructions below in a timely manner. Vulnerabilities and/or issues found on Hyundai Motor Europe products and/or service outside of Europe are out of scope for reporting to this Vulnerability Reporting Policy.

If you have any information about a vulnerability in a Hyundai Motor Europe product and/or service, please let us know by submitting a report in accordance with this policy. We kindly request that you do not publically disclose any vulnerabilities found until we have had the opportunity to analyse the reported vulnerability and, if necessary, define appropriate measures.

By submitting a report under this program, you agree to our terms as set out below that form an integral part of our Vulnerability Reporting Policy:

  • Conduct your testing, research and reporting activities in accordance applicable laws, regulations and other statutory provisions,
  • Do not engage in testing or research that may harm or put at risk Hyundai Motor Europe, its employees, its customers, passengers in Hyundai vehicles, or other third-party individuals or entities including Hyundai dealerships and their employees,
  • Do not disrupt, compromise, or harm any vehicle or data,
  • Avoid to access or disclose personal data belonging to Hyundai Motor Europe, its employees, its customers, passenger in its vehicles, or other third party-individuals or entities that might impact their privacy,
  • Do not compromise or disclose confidential or proprietary data belonging to Hyundai Motor Europe, its employees, its customers, passengers in its vehicles, or other third-party individuals or entities including Hyundai Motor Europe’s authorized dealerships and their employees,
  • Do not test the physical security of any Hyundai Motor Europe property or facility, or the properties or facilities of Hyundai Motor Europe affiliates or related third parties,
  • Do not perform any kind of denial-of-service testing or over-exhaust an IT function,
  • Do not perform social engineering, spam, or phishing/spear phishing attacks,
  • Do not participate or submit vulnerability reports if you are employed by Hyundai Motor Europe, or an affiliate company, or a Hyundai Motor Europe supplier, or are acting on behalf of someone employed by Hyundai Motor Europe. If you are a member of one these entities, please report the issue to your management, who is then to report to Hyundai Motor Europe, directly, and
  • Please provide a contact for further queries.

In submitting vulnerability reports, please note that although Hyundai Motor Europe sincerely values vulnerability reports, we do not provide monetary compensation (“bounties”) or non-monetary remuneration in exchange for submitted reports. This program is only meant to facilitate the responsible reporting and resolution of cybersecurity vulnerabilities.

When submitting reports, we expect that you will:

  • Describe the alleged vulnerability, including

   ○ The time when the vulnerability was discovered,

   ○ The prerequisites and general conditions that must be fulfilled in order to be able to exploit the vulnerability,

    ○ The set up configuration and modification of the Hyundai Motor Europe product and/or services, and

    ○ Where possible, include proof-of-concept code to facilitate our analysis and triage of your report.

  • Describe the methods you employed to identify the alleged vulnerability and any known or possible remediation.
  • Please allow us to disclose the vulnerability in a coordinated manner, in particular by refraining from disclosing vulnerability details to third parties before the end of a mutually agreed timeframe.

Before submitting a vulnerability report, please read our principles above. If you identify an issue that you believe could be a cybersecurity vulnerability in any Hyundai Motor Europe product and/or service, please contact us at vulnerability@hyundai-europe.com.

We will be sure to respond promptly to your report. By submitting a report, you agree that Hyundai Motor Europe may use the information in your report in whatever ways we see fit. This may include to share information of your vulnerability report to other entities within the Hyundai group, as far as necessary.