How do you handle a critical vulnerability disclosure for a system that cannot be taken offline for patching?