Your company has a contract with an external vendor that mandates critical vulnerabilities to be fixed within 48 hours of detection. A critical vulnerability was detected on a server managed by this vendor, but after 48 hours, there is no evidence that the issue has been addressed. What should be your first course of action?
Seek legal advice to address the vendor's non-compliance.
Review the terms of the contract regarding compliance criteria and communicate the breach to the vendor.
Escalate the issue to higher management within your company.
Notify internal stakeholders about the failure to address the vulnerability.