Your policy will be read by participating security hackers and should clearly state what you're looking for in your vulnerability disclosure program. In order to help you write a good policy, HackerOne provides a baseline policy on your Security Page to help you get started. We recommend including the following in your policy:
Keep your policy succinct. Longer policies may lose readership toward the end.
Set clear expectations with hackers. If your response time or fix time is much longer than recommended, state it in your policy. It's good practice to respond to researchers within 3-5 days and to have complete fixes within 45 days.
Give responses updating a hacker that you're still reviewing a report. Such actions let hackers know that their work hasn't gone into a black hole.
Re-evaluate your policy on a recurring basis. Your policy will and should change as your bug bounty program matures.