The point is in enabling the conversation. We can make the laws whatever we want that would help it be fair

White hat: can I hack? Company: no

Later: Company has 100 security request denials Company info leaked Company gets sued Judge is presented with 100 instances where the company was offered free security testing and they refused Judge raises issue from possible negligence to gross negligence

We can also only allow companies to deny requests for specific reasons