Kia America Vulnerability Disclosure Policy
Vulnerability Reporting Program Overview
Kia America appreciates the efforts of security researchers and welcomes any information about potential cybersecurity vulnerabilities that enables us to enhance the security of our products and/or services in the United States – including our vehicles, websites, and digital services. We will investigate and respond to all legitimate reports of potential vulnerabilities submitted according to the instructions below in a timely manner. Please note that any vulnerabilities and/or issues found on products, services, or IT environments outside of the United States are out of scope for reporting to this vulnerability disclosure program.
Please also note that we do not award bounties for reporting vulnerabilities.
Vulnerability Disclosure Scope
We are currently accepting reports about potential vulnerabilities related to the following:
o Kia vehicle vulnerabilities
• Limited to Kia vehicles in the United States only
• For potential vulnerabilities relating to Kia European Union, please refer to Kia EU’s Vulnerability Disclosure Site located here: Kia EU Vulnerability Disclosure
o Kia website
o Kia Owners’ Portal website
o Kia Access Mobile Application
• iOS - Kia Access iOS
• Android - Kia Access Android
Vulnerabilities and/or issues found on Kia products and/or services not listed above are out of scope for reporting in this Vulnerability Reporting Program at this time.
For any vehicle safety related submissions, please submit a report to the Kia America Consumer Affairs team located here: Kia US Vehicle Safety Submission
Disclosure Submission Rules
If you have any information about a potential vulnerability in a Kia America vehicle or system that is in scope of this program, please let us know by submitting a report in the manner described below. We request that you not publicly disclose any potential vulnerabilities until we have had the opportunity to analyze the issue and, if warranted, implement appropriate countermeasures.
By submitting a report under this program, you agree that Kia America may use the information from your report in whatever ways we see fit, and you agree to our terms as set out below:
- Conduct your testing, research and reporting activities in accordance with applicable laws, regulations, and other statutory provisions.
- Do not engage in testing or research that may harm or put at risk Kia America, its employees, its customers, passengers in Kia vehicles, or other third-party individuals or entities including Kia dealerships and their employees.
- Do not disrupt, compromise, or harm any vehicle or data other than that which you own.
- Do not access or disclose personal information or personal data belonging to Kia America, its employees, its customers, passengers in its vehicles, or other third party-individuals or entities that might impact their privacy.
⁃ Do not compromise or disclose confidential or proprietary data belonging to Kia America, its employees, its customers, passengers in its vehicles, or other third-party individuals or entities including Kia America’s authorized dealerships and their employees.
- Do not test the physical security of any Kia America property or facility, or the properties or facilities of Kia America affiliates or related third parties, including Kia America’s authorized dealerships.
- Do not perform any kind of denial-of-service testing or over-exhaust an IT function.
- Do not perform social engineering, spam, or phishing/spear phishing attacks.
- Do not disclose to any third party the details of any submitted vulnerability reports before Kia America can confirm complete remediation of the identified issue (if any).
Disclosure Submission Procedure
In submitting vulnerability reports, please note that although Kia America sincerely values vulnerability reports, we do not provide monetary compensation (“bounties”) or non-monetary remuneration in exchange for submitted reports. This program is only meant to facilitate the responsible reporting and resolution of cybersecurity vulnerabilities.
When submitting reports, please describe the alleged vulnerability by including:
- The date and time when the vulnerability was discovered.
- The methods you employed to identify the alleged vulnerability and any known or possible remediation. Please include detailed reports with reproducible steps.
- The prerequisites and general conditions that must be fulfilled in order to be able to exploit the vulnerability.
- The set-up configuration and modification of the Kia America product and/or services.
- Please allow us to disclose the vulnerability in a coordinated manner, in particular by refraining from disclosing vulnerability details to third parties before the end of a mutually agreed timeframe.
- Unless you wish to remain anonymous, please provide your contact information (Name, Phone Number and eMail) so that we may reach out to you for additional information or keep you informed of our findings and remediation plans.
Before submitting a vulnerability report, please read our principles above. If you identify an issue that you believe could be a cybersecurity vulnerability in an inscope Kia America product, service, and/or vehicle please use the form to submit your findings in a complete and accurate manner.
We will attempt to respond to your report within 3 business days of receiving it with an initial acknowledgement.