Also if you do get a report, it would be a good idea to keep an eye on the bugtraq and full disclosure mailing lists:

http://seclists.org/

where many vulnerabilities are released to the public. This is in case the reporter goes public without you knowing it.

Also it's a good idea to look the list over and see what types of vulnerabilities are hitting applications. Don't just fix a single reported exploit and call it a day. Find out what else could be wrong security wise with your code and fix those issues as well.