Is there not an official standard / "best practices" document for what each party should follow with bug reporting / bounty procedures? Something that anyone in a company that's starting a bug bounty program can point their legal department to, and say: "here's what amazon and google and X and Y and Z follow, so we should do the same"? From the security researcher perspective, there's the responsible disclosure stuff. But not much from the other side, AFAIK.