The US Department of Justice has released a framework to help businesses develop formal vulnerability disclosure programs. More businesses are adopting vulnerability disclosure programs to better detect security problems that could lead to data compromise and disruption.
Some informally accept vulnerability reports with no structured process; others have formal programs with policies to dictate how they accept vulnerabilities and share the information with those affected. These policies may also include authorized methods for finding flaws in a business' systems, services, and products.
The framework, created by the Criminal Division's Cybersecurity Unit, provides a process for designing and administering a program, as well as a set of considerations that could help inform vulnerability disclosure policies. It doesn't specify the goals and structure for these programs as every business has different goals and priorities.
Read more details here.