Who owns software vulnerabilities? The hacker or the company who owns the code?
Who owns software vulnerabilities?
The hacker who discovered the vulnerability, the company who owns the code/hardware, or if its open source then the maintainers?
Is this written in law anywhere?
3 comments
[ 2.0 ms ] story [ 16.6 ms ] threadA researcher however can own code he/her wrote, e.g. exploit code
https://www.kernel.org/doc/html/latest/x86/microcode.html
Look at the specification. If something does not behave as expected, that entity is the owner. In case of Intel processor vulnerabilities and other ones, the hardware is the fault as per my understanding.
Since you are asking about software vulnerabilities and since a vulnerability is supposed to be fixed, the onus is on the provider to fix it, but the IP could be owned by the hacker. Its a vulnerability if its known the company. If not, its an exploit the hacker can use.
Just like a poem can contain figures of speech like metaphors, you don't generically actually own "metaphors" but you can own an actual metaphor if it's written as part of your poem. Maybe the metaphor is too small and you cannot protect its rights, but if you are the legitimate creator, it's still your metaphor.