If overwhelmed with creating your own policies, I highly recommend checking out Disclose.io to start the process – it’s a cross-industry, vendor agnostic standardization project that sets out safe harbor best practices to enable good faith security research.