First of all, it is legal. Many companies have bounties. If you report a problem, you can get a cash prize, and it can be as high as $100,000 if it's something really.... This is happening around the world. It's limitless. If Cisco or some other company has a problem, they don't care if the solution comes from Belgium or from Canada.
In addition, at least in Israel, we have a volunteer Red Team. These are cyber experts who devote a day a month or a few days a month to test, with permission. They do pen testing on critical infrastructure. It can be a hospital, a water installation, etc. At the end, they give a report saying, “These are the problems you have.” I think this is really valuable. When you have permission, there is no legal problem. I don't think you need a new law for that.