Look at the specification. If something does not behave as expected, that entity is the owner. In case of Intel processor vulnerabilities and other ones, the hardware is the fault as per my understanding.
Since you are asking about software vulnerabilities and since a vulnerability is supposed to be fixed, the onus is on the provider to fix it, but the IP could be owned by the hacker. Its a vulnerability if its known the company. If not, its an exploit the hacker can use.
My 2 cents. Vulnerability is a "side effect" of existing code. So if you consider the vulnerable code, it belongs to the owner of the rest of the program. If you write an article about it, you can cite the code and own the article. If you write an exploit, the exploit code is yours. And you can't patent the vulnerable code because it already is existing previous work.
Just like a poem can contain figures of speech like metaphors, you don't generically actually own "metaphors" but you can own an actual metaphor if it's written as part of your poem. Maybe the metaphor is too small and you cannot protect its rights, but if you are the legitimate creator, it's still your metaphor.
https://www.kernel.org/doc/html/latest/x86/microcode.html
Look at the specification. If something does not behave as expected, that entity is the owner. In case of Intel processor vulnerabilities and other ones, the hardware is the fault as per my understanding.
Since you are asking about software vulnerabilities and since a vulnerability is supposed to be fixed, the onus is on the provider to fix it, but the IP could be owned by the hacker. Its a vulnerability if its known the company. If not, its an exploit the hacker can use.