What would you do if you found a critical vulnerability in a production system but the business could not take downtime?