How would you handle a situation where a critical vulnerability is discovered in software used by University of Oregon?