It’s an interesting point, but doesn’t that open up an easy defense so black hat hackers can hack anything they want in advance and as long as they say they were just “looking for an opening” they’d be legally safe under this scenario? They could plausibly claim they just never found a vulnerability to report, but they could note down anything they notice and then attack who or when they feel like it - or pretend they’re white hat their while career but secretly sell the methods to someone who will. Under the current system, they’re discouraged from doing that.