Who owns software vulnerabilities? The hacker or the company who owns the code?
Who owns software vulnerabilities?
The hacker who discovered the vulnerability, the company who owns the code/hardware, or if its open source then the maintainers?
Is this written in law anywhere? Intel (the chipmaker) uses the linux kernel to fix flaws found in the hardware. see if you can identify who would want the ownership around that. https://www.kernel.org/doc/html/latest/x86/microcode.html Look at the specification. If something does not behave as expected, that entity is the owner. In case of Intel processor vulnerabilities and other ones, the hardware is the fault as per my understanding. Since you are asking about software vulnerabilities and since a vulnerability is supposed to be fixed, the onus is on the provider to fix it, but the IP could be owned by the hacker. Its a vulnerability if its known the company. If not, its an exploit the hacker can use. My 2 cents. Vulnerability is a "side effect" of existing code. So if you consider the vulnerable code, it belongs to the owner of the rest of the program. If you write an article about it, you can cite the code and own the article. If you write an exploit, the exploit code is yours. And you can't patent the vulnerable code because it already is existing previous work. Just like a poem can contain figures of speech like metaphors, you don't generically actually own "metaphors" but you can own an actual metaphor if it's written as part of your poem. Maybe the metaphor is too small and you cannot protect its rights, but if you are the legitimate creator, it's still your metaphor. a software vulnerability itself is information about a vulnerability. Information itself is not copyrighted, nobody can own it. A researcher however can own code he/her wrote, e.g. exploit code