Exploits are created ("crafted" might be a better word), vulnerabilities are discovered. Unless you're hiding a RAT behind a public trigger in your code on purpose, I guess?

In general, the exploit has been (however systematically) stumbled upon, or felt through like a person navigating a physical maze.

Nobody would say that person "created" the solution to the maze.

The maze is solvable (that's the latent vulnerability), the person "discovered" the way through.