I stumbled upon a recent zero-day for Microsoft Silver Light (CVE-2016-0034 or KB3126036). Checking my work system, I can see it hasn't yet been patched. It's not my job to keep systems secure, I'm only a developer/analyst but ultimately I want to work my way into information systems security + do the right thing. What do you recommend is the best course of action? Do nothing? Wait? Report it immediately?
It sounds as simple as sending an email to IT saying "it has come to my knowledge that there is this security vulnerability in the Silverlight version that we're using".<p>And then, probably, forget about it -- being too pushy about demanding an fast resolution may lose you the points that you'll gain by pointing out the issue.