That's a great question. In the U.S., there is the Computer Fraud and Abuse Act, passed in the 1980s, that says something to the effect that you can't hack and enter into a company's digital assets in an unauthorized manner. It has not been updated since. I believe Canada has a version of that law as well.
We would encourage Canada to pass a law to encourage all organizations with a digital asset to adapt some form of policy to invite the public—and you don't even need to call them hackers—to report any bugs and vulnerabilities they happen to find. That is just inviting them in, saying what's in scope and what is permitted and what isn't, as well as what you might specifically be looking for. Then, importantly, the organizations should offer a communication channel within it and set up a process in which to receive that information, as well as the resources to fix it.
That's what we would generally encourage the government to do, to pass a law to encourage that type of behaviour.