Coordinated cybersecurity vulnerability disclosure (CVD) policies in Europe are unfortunately not universal; likewise, legislation to protect ethical hackers still has a way to go. The European Cybersecurity Agency (ENISA) could do more at an EU-wide level to help good faith researchers protect critical digital resources.