How should I handle failed vulnerability scans