It would have to be very carefully worded.
Many here have said "Don't change it', but for example, a port scan then logging in with a default IoT piece of crap could, in theory, get you arrested. So do you contact HappyLuckyDevicesMakeYouExcellelent to tell them you intend to check for security holes?
And if they say " No", do you leave that heap of crap just sitting out there being used as a botnet?
On the flip side, if you say it's ok to login and check, the bad guys can say "Hey we were looking for security holes. No intention of doing anything bad'.
It's not a case of yes or no.