What steps do you take to document and report critical vulnerabilities to non-technical stakeholders?