• Creation of a proposed draft of the vulnerability procedures to follow when a vulnerability is identified, and the follow-up process.
• Review in team
• when ready, propose to TSC
• Examples from other communities are:
  https://wiki.fd.io/view/TSC:Vulnerability_Management ;  
  https://wiki.opnfv.org/pages/viewpage.action?pageId=2926046 
  https://wiki.opendaylight.org/view/Security:Vulnerability_Management
• • Process we will follow is use the fd.io as a template and adapt it to onap.  The draft work will be found here: ONAP Vulnerability Management  
• Secure candidates of the security response team (to identify severity and where the problem might be, coordinate and bring in the experts). looking for 3-5 people that has a Knowledge of 1. process, 2. security expertise & drive/coord, 3 sufficient knowledge of code.   

There are tools that can be part of the ONAP build system such as "Nexus Lifecycle", and external static scanners such as Coverity that the ONAP community can use for free to detect *potential* issues.  The audit team would need to sign up to run these tools against the codebase, and more importantly review the output for relevant issues and work with the appropriate ONAP project(s) to remediate the issue.

https://www.sonatype.com/intelligence-automation

https://scan.coverity.com/

https://github.com/linuxfoundation/cii-best-practices-badge  

This may identify good practices, which could include guidelines.  consider, Ensure least privilege by design), consider how to look at code scaning into the integration processes.

Also look at:

• https://wiki.opnfv.org/display/security/Security+Home 
• https://wiki.opnfv.org/display/security/Opnfv-security-guide