
Who owns software vulnerabilities? The hacker or the company who owns the code? - always_learning
Who owns software vulnerabilities?<p>The hacker who discovered the vulnerability, the company who owns the code&#x2F;hardware, or if its open source then the maintainers?<p>Is this written in law anywhere?
======
sairamkunala
Intel (the chipmaker) uses the linux kernel to fix flaws found in the
hardware. see if you can identify who would want the ownership around that.

[https://www.kernel.org/doc/html/latest/x86/microcode.html](https://www.kernel.org/doc/html/latest/x86/microcode.html)

Look at the specification. If something does not behave as expected, that
entity is the owner. In case of Intel processor vulnerabilities and other
ones, the hardware is the fault as per my understanding.

Since you are asking about software vulnerabilities and since a vulnerability
is supposed to be fixed, the onus is on the provider to fix it, but the IP
could be owned by the hacker. Its a vulnerability if its known the company. If
not, its an exploit the hacker can use.

------
lordkrandel
My 2 cents. Vulnerability is a "side effect" of existing code. So if you
consider the vulnerable code, it belongs to the owner of the rest of the
program. If you write an article about it, you can cite the code and own the
article. If you write an exploit, the exploit code is yours. And you can't
patent the vulnerable code because it already is existing previous work.

Just like a poem can contain figures of speech like metaphors, you don't
generically actually own "metaphors" but you can own an actual metaphor if
it's written as part of your poem. Maybe the metaphor is too small and you
cannot protect its rights, but if you are the legitimate creator, it's still
your metaphor.

------
md-
a software vulnerability itself is information about a vulnerability.
Information itself is not copyrighted, nobody can own it.

A researcher however can own code he/her wrote, e.g. exploit code

