Given a scenario where a vulnerability is discovered in a third-party service, how would you assess the risk and respond?