[Eridrus]

security@ is common, but it's unlikely that I'm going to blindly send an email to an address without knowing it is monitored, except as a last resort.

Having a web page on your website that is easily identifiable via google is probably one of the best. You can put a PGP key there if you like. You will find that security researchers have a wide range of caring about how secure the communications are, so don't be surprised if lots do not bother to use it, since it's still your data that is at risk and not theirs. Alternatively, there are bug bounty programs for incentivizing researchers (both to find bugs, but also to play nice), and those generally work over HTTPS, so it's encrypted to that extent.

HackerOne recently launched a Directory service for security contacts: https://hackerone.com/blog/wheres-that-security-at I don't think that is the most common way by far, but if you particularly care, you might want to use that.