Vulnerability Disclosure

If you have any information about a vulnerability in a Kia Europe product and/or service, please let us know by submitting a report in accordance with this policy. We kindly request that you do not publically disclose any vulnerabilities found until we have had the opportunity to analyse the reported vulnerability and, if necessary, define appropriate measures.

By submitting a report under this program, you agree to our terms as set out below that form an integral part of our Vulnerability Reporting Policy:

- Conduct your testing, research and reporting activities in accordance applicable laws, regulations and other statutory provisions,

- Do not engage in testing or research that may harm or put at risk Kia Europe, its employees, its customers, passengers in Kia vehicles, or other third-party individuals or entities including Kia dealerships and their employees,

- Do not disrupt, compromise, or harm any vehicle or data,

- Avoid to access or disclose personal data belonging to Kia Europe, its employees, its customers, passenger in its vehicles, or other third party-individuals or entities that might impact their privacy,

- Do not compromise or disclose confidential or proprietary data belonging to Kia Europe, its employees, its customers, passengers in its vehicles, or other third-party individuals or entities including Kia Europe’s authorized dealerships and their employees,

- Do not test the physical security of any Kia Europe property or facility, or the properties or facilities of Kia Europe affiliates or related third parties,

- Do not perform any kind of denial-of-service testing or over-exhaust an IT function,

- Do not perform social engineering, spam, or phishing/spear phishing attacks,

- Do not participate or submit vulnerability reports if you are employed by Kia Europe, or an affiliate company, or a Kia Europe supplier, or are acting on behalf of someone employed by Kia Europe. If you are a member of one these entities, please report the issue to your management, who is then to report to Kia Europe, directly, and

- Please provide a contact for further queries.

In submitting vulnerability reports, please note that although Kia Europe sincerely values vulnerability reports, we do not provide monetary compensation (“bounties”) or non-monetary remuneration in exchange for submitted reports. This program is only meant to facilitate the responsible reporting and resolution of cybersecurity vulnerabilities.

When submitting reports, we expect that you will:

- Describe the alleged vulnerability, including

   - The time when the vulnerability was discovered, 

    - The prerequisites and general conditions that must be fulfilled in order to be able to exploit the vulnerability, 

    - The set up configuration and modification of the Kia Europe product and/or services, and 

    - Where possible, include proof-of-concept code to facilitate our analysis and triage of your report.

- Describe the methods you employed to identify the alleged vulnerability and any known or possible remediation.

- Please allow us to disclose the vulnerability in a coordinated manner, in particular by refraining from disclosing vulnerability details to third parties before the end of a mutually agreed timeframe.

Before submitting a vulnerability report, please read our principles above. If you identify an issue that you believe could be a cybersecurity vulnerability in any Kia Europe product and/or service, please contact us at vulnerability@kia-europe.com.

We will be sure to respond promptly to your report. By submitting a report, you agree that Kia Europe may use the information in your report in whatever ways we see fit. This may include to share information of your vulnerability report to other entities within the Kia group, as far as necessary.