Publish a Responsible Disclosure policy
Under this policy of responsible disclosure, encourage the reporting of security loopholes discovered in your organisation's systems, without risk of blame.
A coordinated disclosure policy is a set of rules predetermined by an organisation responsible for information or communication technologies that enable security investigators or the general public to identify potential vulnerabilities in their systems with good intentions or to provide them with all relevant information detected about them. These rules, usually published on a website, make it possible to define a legal framework for cooperation between the responsible organisation and policy participants.
CCB Guide on Coordinated vulnerability disclosure policy (to be published soon)