[---] After explicating the notion of “hacking back” and the implementation of respective policies by states, the concept of the rule of law is briefly sketched out. Subsequently, it is shown how the technical requirement to rely on vulnerabilities in the target system’s soft- or hardware in order to perform hack backs means that state security agencies have a strong incentive to refrain from disclosing found vulnerabilities. It is shown how this practice, by design, weakens the rule of law in cyberspace.