Occasionally fuckups happen, even with Qubes (although not as often as some think).
What should we – users or admins – do in such a situation? Patch, obviously. But is that really enough? What good is patching your system if it might have already been compromised a week earlier, before the patch was released, when an adversary may have learned of the bug and exploited it?
That’s an inconvenient question for many of us – computer security professionals – to answer.