We have 'security bountry program' listed in our website footer. Also a security.txt. We still gets emails saying they found some kind of vulnerability and if we have a bounty program. Sometimes via our contact form where we can check what the user did on our website prior (usually: nothing). At this point it's spam.
Most infurating report was that there's a world-readable directory listing and people can download files, URL like http://dowloads.$mycompany.com/public with literally a README file explaining that all files are public and meant for people to download.
Have you all considered putting a category on your contact form for security reporting that automatically replies with the information about your program? It would give people the chance to find the desired path even if they miss the link in the footer.
Our company is small, security@$mycompany.com email and customer service email go to the same staff. We have a standard reply pointing to our bounty page. It explains all steps, what qualifies, what doesn't qualify, payment process, hall of fame. The more we explain the less we hope we need to manually answer. We paid out 20 bounties so far I think.
Most infurating report was that there's a world-readable directory listing and people can download files, URL like http://dowloads.$mycompany.com/public with literally a README file explaining that all files are public and meant for people to download.