To be done, something likes outlined in https://www.hackerone.com/blog/Vulnerability-Disclosure-Policy-Basics-5-Critical-Components
Promise: Demonstrate a clear, good faith commitment to customers and other stakeholders potentially impacted by security vulnerabilities.
Scope: Indicate what properties, products, and vulnerability types are covered.
“Safe Harbor”: Assures that reporters of good faith will not be unduly penalized.
Process: The process finders use to report vulnerabilities.
Preferences: A living document that sets expectations for preferences and priorities regarding how reports will be evaluated.