Why every organization should make it easy to report security flaws