It has been noted that this -
https://www.ccadb.org/cas/incident-report#what-is-considered-an-audit-finding
doesn't provide clear notice that an Incident Report is required for a previously unreported finding
This
https://www.ccadb.org/cas/incident-report#when-are-reports-expected
does state that an Incident Report is required for a previously unreported finding
A fourth bullet could be inserted here
https://www.ccadb.org/cas/incident-report#what-is-considered-an-incident
to mention that a previously unreported finding is considered an incident.
Also, while we're editing the Incident Report document, we should clarify that a separate bug must be created for each distinct audit finding (e.g. Finding 1, Finding 2, etc.)
It has been noted that this -
https://www.ccadb.org/cas/incident-report#what-is-considered-an-audit-finding
doesn't provide clear notice that an Incident Report is required for a previously unreported finding
This
https://www.ccadb.org/cas/incident-report#when-are-reports-expected
does state that an Incident Report is required for a previously unreported finding
A fourth bullet could be inserted here
https://www.ccadb.org/cas/incident-report#what-is-considered-an-incident
to mention that a previously unreported finding is considered an incident.
Also, while we're editing the Incident Report document, we should clarify that a separate bug must be created for each distinct audit finding (e.g. Finding 1, Finding 2, etc.)