I wrote up a formal responsible disclosure policy. I take the security of my customers seriously, and as such I have gear and hosting as prizes it anyone finds anything. Not as fancy as a policy like Google’s, but I think every organization should have something (especially after the Panera Incident).