Here is a usful link from isc.sans.edu on “The Seven Deadly Sins of Security Reporting”
All of them are great points, but I think # 1 is really important and one of the places where a lot of people can run into trouble. Also # 3 ties into that, everyone has a black berry but are they really available after hours with them or do they get ignored?
Most of the other points are strait forward, but at the end of the day if you can’t be reached or reach anyone your vulnerabilities are problems you are going to need to work to.
Also after all of that work, reports are sent out on a secure channel, printed and left on a desk.