So I have a surprise for you! Poland has an explicit provision in law that conditionally legalizes attacking computer systems for that very purpose. An example of poorly executed response to pentesters’ demands,
(1) but it made it to the Penal Code in
2017: addition of article 269c and introduction of §1 to 269b.
The catch? It has not been tested in court yet. So unless you volunteer to be a subject of a legal experiment, engaging in such activity is still a bad idea. The law, even if it works as intended, will not protect you from all the trouble the notified party may bring upon you. And the worst part is that you will face harsh treatment for trying to be helpful, which is by itself PITA.
(1) The backstory: EU-wide agreements require states to implement law that punishes production, posession, distribution etc. of tools that might be used to commit computer crimes, but only under condition that those tools were actually used for that purpose. Poland implemented only the first part, introducing a legal absurd. For years pleas to fix that has been ignored. Finally, in 2016/2017 lobbyists managed to convince Ministry of Digital Affairs to address that issue. But, instead of simply copying the text of the relevant directive and adding the exception, they wrote is from scratch, seemingly understanding neither the subject nor goals. The effect is you can see. A provision that is much wider — to the point of going absurd in the opposite direction.