While "Rules of Engagement" may not be the best term, it's generally used for pentesting agreements, so I suspect something similar should work.
We publish in scope domains on https://security.wikimedia.org/bug-bounty/, and examples of in scope and out of scope vulnerabilities, that doesn't necessarily tell someone what sort of things they can try (or not try), or when they should stop, for example, if they find something that looks like it could be destructive...
https://www.mediawiki.org/wiki/Reporting_security_bugs is a general policy...