Communication and coordination¶

CNA work is as much about collaboration as it is about analysis. Clear, structured communication ensures vulnerabilities are handled responsibly and mitigations are applied effectively.

Vendor communication¶

Establish professional channels:

• Use official email, ticketing systems, or secure portals.

• Avoid informal messaging that cannot be audited.

Report vulnerabilities responsibly:

• Provide clear, concise descriptions of the issue.

• Include PoC details only within controlled communication.

• Recommend mitigations if appropriate, but never expose exploits publicly.

Track interactions:

• Log all communications in the internal system.

• Note dates, recipients, and summary of content for traceability.

Coordination with CERTs and authorities¶

Identify the correct CERT:

• National or regional teams for the affected systems.

• Use official submission channels and forms.

Submit structured reports:

• Include impact assessment, affected components, and references.

• Maintain the chain of evidence and ensure records are reproducible.

Follow escalation procedures:

• Notify internal supervisors before escalating externally.

• Respect deadlines and reporting obligations under EU NIS2 or local regulations.

Reference: ENISA Coordinated Vulnerability Disclosure

Reference: EU NIS2 Directive

Public reporting and disclosure-safe summaries¶

Abstract lessons safely:

• Summarise vulnerabilities without publishing actionable exploits.

• Highlight mitigations, trends, or patterns for awareness and education.

Maintain traceable records:

• Link summaries to internal CVE records and communications.

• Ensure any public-facing content is reviewed and cleared internally.