Imagine you've discovered a vulnerability in a widely used software. What process would you follow to address it?