How would you approach a situation where a critical vulnerability is found in a product already in production?