The Car Hacker’s Hippocratic Oath

As ethical hackers and researchers, we recognize the importance of our role in ensuring the safety, security, and privacy of connected vehicles and transportation systems. In this role, we commit to maintaining the highest standards of integrity, responsibility, and professionalism. Our mission is to collaborate with manufacturers, regulators, and industry leaders to ensure the protection of users and the public, while adhering to global laws and standards.

The Oath:

First, Do No Harm

I pledge to act responsibly in my work, ensuring that my discoveries and actions will not harm individuals, vehicles, manufacturers, or public safety. My goal is to uncover vulnerabilities to improve security, not to exploit them for personal gain or malicious purposes.

Promote Transparency and Collaboration

I commit to engaging in open and constructive dialogue with manufacturers and other stakeholders. I will responsibly disclose vulnerabilities to manufacturers, allowing them to address issues before publicly discussing my findings. I will respect their processes, timelines, and security protocols, understanding that collaboration leads to stronger, safer vehicles.

Adhere to Laws and Standards

I will comply with all relevant local and international laws, regulations, and industry standards, including but not limited to:

ISO/IEC 21434 (Road vehicles – Cybersecurity engineering)

UNECE WP.29 R155 (Regulation on cybersecurity and cybersecurity management systems)

GDPR and California Consumer Privacy Act (CCPA) (Data privacy regulations for vehicle owners and users)

U.S. National Highway Traffic Safety Administration (NHTSA) guidelines on automotive cybersecurity I will ensure that my work aligns with these frameworks to maintain legal and ethical standards across borders.

Respect for Privacy

I understand the sensitive nature of vehicle data and the importance of protecting the privacy of vehicle users and owners. I pledge to handle all data with the utmost care, ensuring that personal information is not exposed, mishandled, or misused.

Responsibly Manage Disclosures

I commit to following responsible disclosure practices when identifying security vulnerabilities. I will first inform the manufacturers or affected parties through appropriate channels, giving them sufficient time to mitigate risks. I understand that immediate public disclosure can cause unnecessary harm, and will avoid this to preserve public safety.

Safeguard Public Safety and Well-being

My work will always prioritize the safety of vehicle users and the general public. I will ensure that any vulnerabilities I uncover are reported in a way that enables timely fixes without jeopardizing the safety of vehicles on the road.

Contribute to the Greater Good

I recognize the impact of my work beyond the immediate scope of my research. By participating in the responsible discovery and reporting of vulnerabilities, I contribute to improving the overall security landscape of the automotive industry, fostering trust and safety in connected vehicles worldwide.

Continuous Learning and Improvement

I pledge to stay informed about new developments, laws, standards, and best practices in vehicle cybersecurity. I will continue to improve my skills, understanding, and adherence to the ethical principles that guide responsible hacking and security research.

Reference Section:

ISO/IEC 21434 – "Road vehicles – Cybersecurity engineering":

This standard outlines cybersecurity engineering for road vehicles, addressing security risks throughout the lifecycle of a vehicle.

UNECE WP.29 R155 – "Cybersecurity and Cybersecurity Management Systems":

A regulation from the United Nations Economic Commission for Europe (UNECE) that sets out cybersecurity requirements for vehicle manufacturers.

NHTSA Guidelines on Automotive Cybersecurity – "Cybersecurity Best Practices for the Safety of Modern Vehicles":

Guidelines from the U.S. National Highway Traffic Safety Administration that outline best practices for automotive cybersecurity.

General Data Protection Regulation (GDPR):

A comprehensive data privacy regulation that applies to all vehicle manufacturers and researchers handling data related to European citizens.

California Consumer Privacy Act (CCPA):

A data privacy law that governs how companies collect and manage personal data from California residents, including vehicle data.

CVE (Common Vulnerabilities and Exposures):

A list of publicly disclosed cybersecurity vulnerabilities and exposures used to inform manufacturers of common security threats.

This Hippocratic Oath for Hackers is designed to balance ethical hacking principles with the responsibilities of both manufacturers and security researchers, ensuring safe, responsible innovation in the automotive industry.