Also if you do get a report, it would be a good idea to keep an eye on the bugtraq and full disclosure mailing lists:<p><a href="http://seclists.org/" rel="nofollow">http://seclists.org/</a><p>where many vulnerabilities are released to the public. This is in case the reporter goes public without you knowing it.<p>Also it's a good idea to look the list over and see what types of vulnerabilities are hitting applications. Don't just fix a single reported exploit and call it a day. Find out what else could be wrong security wise with your code and fix those issues as well.