Correct. They are also probably (depending on circumstances) exempt from some provisions of the DMCA that might otherwise allow the research target to employ copyright law to stop them from conducting the research. US Federal Law has provisions that explicitly protect vulnerability research in some cases.