[EricMausler]

People aren't white or grey or black hats. Actions are.

A person can wait until they find a vulnerability to decide what type of hat they want to be. That is not only possible, but also the most rational thing for someone to do if there are no negative consequences to declaring yourself one way or the other before you find the vulnerability.

All of the problems mentioned can be addressed above the table.

We don't allow people to test your defenses unsolicited in any other industry that i know of, and the cost of cybersecurity is very high.

We can make basic security defenses a law if we want to without giving cover to black hats.

You can't throw the book at someone who has approval to do research. Business does not need to have at-will rights over that approval, we can require sufficient reasoning to deny