The attested systems have vulnerabilities too, so how do they deal with that responsibility?