How do you triage vulnerabilities discovered through internal scanning tools, bug bounty programs, or third-party penetration tests?