The incident report may well repeat things which have been said previously in discussions or bug comments. This is entirely expected. The report should be a summary of previous findings. The existence of data in discussions or bug comments does not excuse a CA from the task of compiling a proper incident report.
Your CA may submit an incident report by [https://bugzilla.mozilla.org/enter_bug.cgi?product=NSS&component=CA%20Certificate%20Compliance &version=other creating a bug in Bugzilla under the NSS:CA Certificate Compliance component], or by posting the report to the mozilla.dev.security.policy mailing list. If an incident report is sent to the list without a corresponding bug, a new one will be created to track the incident.
The incident report should cover at least the following topics: