This probably vary among countries but afaik anything can be considered as an intellectual property. For example if your company have some copyrighted material (pdf, videos etc.) about how to exploit an sql injection, it’s considered an IP despite the content “SQLi exploitation techniques” is very common knowledge. So IP is rather an umbrella term.
About vulnerability research, it all depends on the product’s EULA. Some vendors outright prohibit anyone from conducting vulnerability research on their products.
Most vendors prohibit reverse engineering of their products. This does not particularly prohibit anyone from doing VR, but good luck writing an exploit after finding a vuln w/o doing any RE.
So what happens if you do RE/VR on one of these products and actually found a 0day? Nowadays, most vendors won’t sue you just for that (but they certainly would in the past).
When you report a vulnerability (outside a bug bounty program) most probable outcomes are like the following;
- Vendor responds in a positive manner. They fix the vulnerability and reward you for it.
- Vendor responds in a positive manner. They fix the vulnerability and thank you for it.
- Vendor responds in a positive manner. They thank you for it but they won’t fix it in near time.
- Vendor completely ignores your vulnerability report.
- On very rare occasions, vendor tries to force you into signing an NDA by saying that they’ll take legal actions if you don’t sign it.
TL;DR - Although vulnerability research is very welcomed nowadays, if you’re conducting it outsite of a bug bounty program or pentest, vendor reserves every right to take legal actions.