Have you all considered putting a category on your contact form for security reporting that automatically replies with the information about your program? It would give people the chance to find the desired path even if they miss the link in the footer.
Our company is small, security@$mycompany.com email and customer service email go to the same staff. We have a standard reply pointing to our bounty page. It explains all steps, what qualifies, what doesn't qualify, payment process, hall of fame. The more we explain the less we hope we need to manually answer. We paid out 20 bounties so far I think.
