I've had somebody bringing me a Nessus security audit...
... and the stuff in it was actual security issues in Oracle Solaris, in FOSS code they used.
But when I called Oracle support, they neither confirmed nor denied the existence of any security vulnerability, since nothing had been Officially Announced, and no, of course they would not give me any workaround, countermeasure, or even an ETA for a fix.
Red Hat had, of course, already provided an update for the same vulnerability, and provided details about it.
So, I still lack any sympathy for *the* person whose management in Oracle made me ditch Solaris completely in favour of RHEL.