A Snyk online account has been set up for FEC to monitor the FECFile Online GitHub repositories. The management of vulnerability alerts will be handled as a weekly rotating task performed by a developer who will log into the Snyk Dashboard (Invitation link here) and perform the following tasks:

1. Review the vulnerability reports for each of the FECFile Online GitHub repository.
2. Write up a ticket (1 for each vulnerability, okay to combine multiple vulnerabilities per package if found on the same day) to remediate the vulnerability. Findings of false positives or accepted risks should also be written up in a ticket with the justification for ignoring it and put to Code Review for team review.
3. Link each ticket created back to the week's Snyk ticket.
4. Add each ticket to the next upcoming sprint with the "security" label
5. Set the priority field to High
6. Put ticket in ADQR bucket
7. Ticket title should contain the package and version that is vulnerable
8. Ticket title should contain the deadline date and severity (Critical/high: 30 days from discovery, Medium: 60 days from discovery, Low: 90 days from discovery)
9. Review cloud.gov logs for any security events.
10. Update weekly assignment log with tickets created or "None".

The weekly assignment log can be found in the Google drive 🔒 here 🔒