Your organization utilizes a proprietary system for its critical operations. During a routine vulnerability scan, you discover that this system has several security weaknesses. However, any changes to the system require a development cycle from the vendor. What kind of inhibitors to remediation should you include in your vulnerability management report to accurately communicate the challenges to stakeholders?
Since it's proprietary technology, no vulnerabilities should be reported until the vendor confirms them.
Legacy systems often represent a risk, but proprietary systems do not need to be included in vulnerability reports.
Affected hosts can be remediated by the application of immediate compensating controls without contacting the vendor.
Proprietary systems may have vendor-specific development cycles that delay immediate remediation.