How would you address a zero-day vulnerability that has been discovered in software used by the organization, including mitigation and communication?