ALT A Note on Supply Chain Disclosure The vulnerabilities in this post raise a broader question: when a security product ships a vulnerable third-party component, whose responsibility is it to tell customers? NSIS is open source, widely used, and the CVEs are public. But the fact that a vulnerability exists in NSIS does not tell an organisation whether the copy of NSIS bundled inside their ZTNA product is actually exploitable. That requires understanding the specific context - whether the installer runs as SYSTEM, whether it can be triggered by an unprivileged user, and whether the temp directory lands somewhere writable. That analysis is not something end users should be expected to do themselves. It is the vendor’s job. In both of the Zscaler case studies covered here, the vulnerabilities were reported directly to Zscaler and subsequently fixed. However, at the time of writing, Zscaler has not published security advisories for any of these fixes. Customers have no way of knowing, from