The organization should establish and publish how security related issues should be reported. Reporting of security related matters should not have a negative impact on the person reporting it. Additionally, the organization should include an option to report security issues anonymously.