Is it really that difficult for an organisation with a website to have a clear vulnerability reporting process, and then to actually do something about reports? I know it's not standardised yet, but we've gone for .well-known/security.txt (decoded.legal/.well-known/se…).