That depends heavily on the law in question. Germany e.g. almost completely bans white hat activities because hacking is evil, and no amount of common sense has been able to get through lawmakers' thick skulls.
You can downvote him all you want, but it's true at the core. ยง202c of the BGB heavily limits what can be done, even by legit researchers, and it's often being critized for that reason.
For anyone interested, the Wikipedia article might give an overview (only available in German right now): https://de.wikipedia.org/wiki/Vorbereiten_des_Aussp%C3%A4hen...