Shoe is On the Other Foot

Normally, I get to be the one scanning for vulnerabilities and asking the sysadmins to fix their problems. Today the shoe was on the other foot. A government customer who has been running Foundstone scans (without asking permission first) approached us with a scan report from July. Each of the items listed was minor at best. They listed two of the items as “critical.” What a joke. Its so hard to respond nicely to their demand that we fix our insecurity without telling them exactly its not a problem.