...

• The reporter is always a customer or has a customer ID. – At the CERT/CC, we have hit walls in our communication attempts when a vendor's technical support function refuses to help us without a customer ID number. Be sure your tech support staff understand how to forward vulnerability reports to the appropriate individuals or groups within the organization. Vulnerability reports can arrive from anyone.
• The reporter is willing and/or able to fill out a web form. – Some reporters prefer to use anonymous email; be sure you have more communication lines open than just a web form.
• The reporter is a human. – Sometimes reports can be auto-generated by tools. Include a clearly defined reporting format for tools if at all possible.
• The reporter can send or receive encrypted mail. – The CERT/CC encourages encrypted mail when possible, but it is not appropriate to presume all reporters can or must use encrypted mail. If the reporter declines to use encrypted mail, offer other options. These may include encrypted zip files or a company upload service such as FTP.
• The reporter has an account on your private portal. – The reporter may not be a customer with a portal account; furthermore, the reporter may wish to remain anonymous and will be unwilling to register for a portal account. Again, be sure it is easy for reporters to find more than one communication channel.
• The reporter will wait indefinitely for your reply before communicating with others about what they know. – Technology sometimes fails, and we wonder if a message was received. It is helpful to let the reporter know as soon as possible that the report was received. Give regular updates on the process so that the reporter is involved and there is mutual understanding. If reporters are kept out of the loop, they may seek out a third-party coordinator or even publish their report without notice.
• The reporter will keep your correspondence private. – Lack of response or rudeness on the part of a vendor may result in the reporter choosing to post the correspondence publicly. In addition to the negative attention this draws to the vendor and reporter alike, such negative experiences may discourage finders and reporters from reporting vulnerabilities to the vendor in the future.

References

1. Wassermann, Garrett. Reach Out and Mail Someone. 6 August 2015. https://insights.sei.cmu.edu/cert/2015/08/reach-out-and-mail-someone.html
2. K. Price, "Writing a bug report - Attack Scenario and Impact are key!" 2 August 2015. [Online]. Available: https://forum.bugcrowd.com/t/writing-a-bug-report-attack-scenario-and-impact-are-key/640. [Accessed 17 May 2017].
3. MITRE, "Common Weakness Enumeration (CWE)," [Online]. Available: https://cwe.mitre.org/. [Accessed 17 May 2017].
4. MITRE, "Common Attack Pattern Enumeration and Classification," [Online]. Available: https://capec.mitre.org/. [Accessed 17 May 2017].
5. CERT/CC, "Vulnerability Reporting Form," [Online]. Available: https://vulcoord.cert.org/VulReport/. [Accessed 17 May 2017].