[Sephr]

There are strong protections in the US regarding vulnerability disclosure due to freedom of speech. If you are able to run software that you own which doesn't have any anti-reverse-engineering ToS on your own computers, you are generally in the clear to publish knowledge of flaws that you find while inspecting the software on your computer.

This doesn't mean that you won't get sued, but it does increase your likelihood of winning such lawsuits when you haven't committed any crimes during your security research & disclosure.

You are not required to ever tell the affected parties at all, and afaik you are also free to stockpile and sell exploits as long as you only sell them domestically (IANAL & TINLA).

[bjeds]

That's true, but in my experience vulnerability researchers mostly focus on the online presence/product of internet-active companies (the FAANG:s of the world, and their smaller competitors - companies that could realistically be on HackerOne/BugCrowd without standing out like a sore thumb).

If you've bought some software you install on your computer - like the good old days ( :) ), it's more fair game as you said.