How do you handle a scenario where a business-critical application has a known, unpatched zero-day vulnerability?