Vulnerability Disclosure

If you have any information about a vulnerability in a Kia Europe product and/or service, please let us know by submitting a report in accordance with this policy. We kindly request that you do not publically disclose any vulnerabilities found until we have had the opportunity to analyse the reported vulnerability and, if necessary, define appropriate measures.

By submitting a report under this program, you agree to our terms as set out below that form an integral part of our Vulnerability Reporting Policy:

- Conduct your testing, research and reporting activities in accordance applicable laws, regulations and other statutory provisions,

- Kia will not compensate any damagecaused by responsible disclosure,

- Do not engage in testing or research that may harm or put at risk Kia or its affiliates Kia employees, customers, passengers in Kia vehicles, or other third-party individuals or entities including Kia dealerships and their employees,

- Do not disrupt, compromise, or harm any vehicle or data except those used with the owner's consent for responsible sharing,

- Avoid accessing or disclosing any personal data, in particular that of Kia customers, passengers of Kia vehicles, employees, or other third party-individuals,

- Do not compromise or disclose confidential or proprietary data belonging to Kia or any of its affiliates, employees, customers, passengers in Kia vehicles, or other third-party individuals or entities, including Kia authorized dealerships and their employees,

- Do not test the physical security of any Kia Europe property or facility, or the properties or facilities of Kia Europe affiliates or related third parties,

- Do not perform any kind of denial-of-service testing or over-exhaust an IT function,

- Do not perform social engineering, spam, or phishing/spear phishing attacks,

- Do not participate or submit vulnerability reports if you are employed by Kia, its affiliate company, a Kia supplier, or are acting on behalf of someone employed by Kia. If you are a member of one these entities, please report the issue to your management, who is then to report to Kia, directly, and

- Please provide a contact for further queries.

In submitting vulnerability reports, please note that although Kia Europe sincerely values vulnerability reports, we do not provide monetary compensation (“bounties”) or non-monetary remuneration in exchange for submitted reports. This program is only meant to facilitate the responsible reporting and resolution of cybersecurity vulnerabilities. 

 Items Not Considered Vulnerabilities 

Kia Europe does not consider the following items to be valid vulnerabilities under this Vulnerability Reporting Policy: 

- Reports stemming from physical security testing of Kia’s facilities or properties

- Denial-of-service testing or actions causing an IT function overload

- Vulnerabilities arising from misconfigured systems that are not under Kia’s control

- Other issues that do not pertain to cybersecurity vulnerabilities

- Social engineering attacks, including phishing

- Reports with evidence only from automated tools or scans

- Rate limiting or brute-force issues on non-authentication endpoints

- Open redirects/URL Forwarding

- Click-jacking attacks

- Self-exploitation (e.g., Self-XSS, Cookie reuse)

- Speculative reports on theoretical damage without evidence or substantive information indicating exploitability

- Invalid or missing SPF (Sender Policy Framework) records

- Physical destruction of lock/anti-theft devices

- Gaining access to the vehicle by physical destruction

- Use of valid diagnostic functions

- Relay attack or roll-Jam attacks

Please ensure your reports focus on cybersecurity vulnerabilities related to Kia Europe products and services as defined within the scope of this policy. If issues reported involve a third-party library, external project, or another vendor, we will fulfill our responsibility by forwarding the relevant details to the appropriate party without further discussion with the researcher. We will make every effort to coordinate and maintain clear communication with researchers throughout this process.

 When submitting reports, we expect that you will:

 Describe the alleged vulnerability, including

   - The time when the vulnerability was discovered, 

   - The prerequisites and general conditions that must be fulfilled in order to be able to exploit the vulnerability, 

  - The set up configuration and modification of the Kia Europe product and/or services, and 

  - Where possible, include proof-of-concept code to facilitate our analysis and triage of your report.

Describe the methods you employed to identify the alleged vulnerability and any known or possible remediation.

Please allow us to manage the vulnerability in a coordinated manner, in particular by refraining from disclosing vulnerability details to third parties.

Before submitting a vulnerability report, please read our principles above. If you identify an issue that you believe could be a cybersecurity vulnerability in any Kia Europe product and/or service, please contact us at vulnerability@kia-europe.com by encrypting your message using Kia Europe's public PGP key - CLICK HERE TO DOWNLOAD .

We will be sure to respond promptly to your report. By sumitting a report, you agree that we may use the information in your report in whatever ways we see fit to enchance the cybersecurity of Kia products and services. This may include to share information of your vulnerability report to other entities within the Hyundai Motor group, as far as necessary.