How can lawmakers better protect reporters of security vulnerabilities?

The US is again warning of potential cybersecurity attacks against the US. Hearing this, I can't help but roll my eyes and lament the way we treat those who report cybersecurity vulnerabilities.

Recently, the governor of Missouri made it a personal political goal to prosecute a "hacker" who did nothing more than view the source of a government web page. It's easy to find other cases where people are harassed, prosecuted, and sometimes jailed, after reporting a vulnerability.

I myself once discovered an apparent security vulnerability, but I just closed my browser and walked away. I didn't want to deal with the potential harassment or worse. I think many are like me.

What changes can lawmakers make to improve this situation? How can we protect those who report security vulnerabilities?