How do you decide which security issues to fix first when multiple vulnerabilities are discovered at once?