The Department of Justice Criminal Division Cybersecurity Unit has devised a framework for companies looking to implement formal vulnerability disclosure policies.

Since different organizations may have different goals and priorities for their programs, a framework acts more as a rubric, providing considerations and guidance rather than authority. This assistance reduces the likelihood that activities will result in violating the Computer Fraud and Abuse Act.

For more information, or to read the steps in detail go here.