I would suggest you take a look at the way the company handles vulnerability reporting, as well as their response to such reports.
The company should provide a secure and private way to report vulnerabilities, such as a dedicated security response email and a PGP key for encryption of reports, and they should provide this in an easy to find location. They should also not persecute the people who find these vulnerabilities and report them, like some companies have tried to do previously.
For incident reports, they should respond quickly, as a guideline within 48 hours of the report, to the person who reported the vulnerability. If possible, a temporary patch should be released ASAP (such as Microsoft's FixIts), and a more permanent one released afterwards that completely removes the cause of the vulnerability. The company should also provide a way to keep its customers updated on security issues in their products, such as a mailing list, and keep it updated regularly.