This seems to be hot at the moment. In Thoughts on Responsible Disclosure and Wasenaar I gave some ideas, what I would expect from a vendor in how they will handle security vulnerabilities in their products.
Now, I readwhich is very interesting from my point of view as it helps to get an understanding, where you are (or a vendor is) in respect of the maturity of this process. Or if you disagree with the model, it helps to get the needed discussion going. Good job, HackerOne