Vulnerability Reporting Policy

Hyundai Motor Europe GmbH and its affiliated companies in Europe (“Hyundai Motor Europe”) appreciate the efforts of security researchers and welcomes any information about vulnerabilities that enables Hyundai Motor Europe to enhance the security of our products and/or services (such as our digital services, IT environment or our vehicles). We will investigate and respond to all legitimate vulnerability reports submitted according to the instructions below in a timely manner.

If you have any information about a vulnerability in a Hyundai Motor Company product and/or service, please let us know by submitting a report in accordance with this policy. We kindly request that you do not publicly disclose any vulnerabilities found so that we have the opportunity to analyse the reported vulnerability and, if necessary, define appropriate measures.

By submitting a report under this program, you agree to our terms as set out below that form an integral part of our Vulnerability Reporting Policy:

  • Conduct your testing, research and reporting activities in accordance applicable laws, regulations and other statutory provisions,
  • Do not engage in testing or research that may harm or put at risk Hyundai Motor Company or its affiliates Hyundai employees, customers, passengers in Hyundai vehicles, or other third-party individuals or entities, including Hyundai dealerships and their employees,
  • Do not disrupt, compromise, or damage any vehicle or data, except those used with the owner’s consent for responsible sharing,
  • Avoid to access or disclose any personal data, in particular that of Hyundai customers, passengers of Hyundai vehicles, employees or other third party-individuals,
  • Do not compromise or disclose confidential or proprietary data belonging to Hyundai Motor Company or any of its affiliates, employees, customers, passengers in Hyundai vehicles, or other third-party individuals or entities, including Hyundai authorized dealerships and their employees,
  • Do not test the physical security of any Hyundai Motor Company property or facility, or the properties or facilities of Hyundai Motor Europe affiliates or related third parties,
  • Do not perform any kind of denial-of-service testing or over-exhaust an IT function,
  • Do not perform social engineering, spam, or phishing/spear phishing attacks,
  • Do not participate or submit vulnerability reports if you are employed by Hyundai Motor Company, or its affiliate company, or a Hyundai Motor Company supplier, or are acting on behalf of someone employed by Hyundai Motor Company. If you are a member of one these entities, please report the issue to your management, who is then to report to Hyundai Motor Company, directly, and
  • Please provide contact information for further queries.

In submitting vulnerability reports, please note that although Hyundai Motor Europe sincerely values vulnerability reports, we do not provide monetary compensation (“bounties”) or non-monetary remuneration in exchange for submitted reports. This program is only meant to facilitate the responsible reporting and resolution of cybersecurity vulnerabilities.

Items Not Considered Vulnerabilities
Hyundai Motor Europe does not consider the following items to be valid vulnerabilities under this Vulnerability Reporting Policy:

  • Physical security vulnerabilities of Hyundai Motor Company facilities or properties
  • Denial-of-service testing or actions causing an IT function overload
  • Vulnerabilities arising from misconfigured systems that are not under Hyundai Motor Company’s control
  • Vulnerabilities that are not cybersecurity-specific
  • Reports with evidence only from automated tools or scans
  • Rate limiting or brute-force issues on non-authentication endpoints
  • Any social engineering attacks, including phishing attacks
  • Open redirects/URL Forwarding
  • Click-jacking attacks
  • Self-exploitation (e.g., Self-XSS, Cookie reuse)
  • Speculative reports on theoretical damage without evidence or substantive information indicating exploitability
  • Invalid or missing SPF (Sender Policy Framework) records
  • Physical destruction of lock/anti-theft devices
  • Gaining access to the vehicle by physical destruction
  • Use of valid diagnostic functions
  • Relay attack orroll-Jam attacks

Please ensure your reports focus on cybersecurity vulnerabilities related to Hyundai products and services as defined within the scope of this policy. If issues reported involve a third-party library, external project, or another vendor, we will fulfill our responsibility by forwarding the relevant details to the appropriate party without further discussion with the researcher. We will make every effort to coordinate and maintain clear communication with researchers throughout this process.

When submitting reports, we expect that you will:
Describe the alleged vulnerability, including

  • The time when the vulnerability was discovered,
  • The prerequisites and general conditions that must be fulfilled in order to be able to exploit the vulnerability,
  • The set up configuration and modification of the Hyundai product and/or services, and
  • Where possible, include proof-of-concept code to facilitate our analysis and triage of your report.

Describe the methods you employed to identify the alleged vulnerability and any known or possible remediation.

Please allow us to manage the vulnerability in a coordinated manner, in particular by refraining from disclosing vulnerability details to third parties before the end of a mutually agreed timeframe.
Before submitting a vulnerability report, please read our principles above. If you identify an issue that you believe could be a cybersecurity vulnerability in any Hyundai Motor Company product and/or service, please contact us at vulnerability@hyundai-europe.com by encrypting your message using Hyundai Motor Europe’s public PGP key.

We will be sure to respond promptly to your report. By submitting a report, you agree that we may use the information in your report in whatever ways we see fit to enhance the cybersecurity of Hyundai products and services. This may include to share information of your vulnerability report to other entities within the Hyundai Motor group, as far as necessary.