Well said as always Adrian. This part really hits home for me:
Go — look at your company’s website. Consider its products and applications. How would the general public report an issue? How easy is it to find the right contact information when starting with zero knowledge? Who are the recipients of these emails? Would they forward a critical security report to the right person internally or would they consider it a scam and delete it?
I’ve been in organizations that, due to the inability to find an easy way to report something, the reporting individual starts picking names they *think* are the right people and just begin to send random emails/messages to these folks throughout the organization. This generated a lot of messages that eventually make it to the correct person, but they came from a lot of different fronts. This caused confusion and additional stress, especially for those that did not understand the nature or severity of the vulnerability.
Let’s just say that your marketing department may be easy to find, but are not typically the folks you want handling vulnerability reporting. To use a technical term, it tends to get them kerfluffeled and, when dealing with internal issues, the kerfluffling of the marketing department should be avoided at all costs.