On the CII badging page for your app https://bestpractices.coreinfrastructure.org/projects/1629 review the CII question labeled vulerabilities_fixed_60_days under the Security section. The CII question says:
"There MUST be no unpatched vulnerabilities of medium or high severity that have been publicly known for more than 60 days."

Note that this refers to vulnerabilities within ONAP code, and NOT to vulnerabilities inherited from third party libraries.

Your answer should be MET:

• If there are no known vulnerabilities
• If all known vulnerabilites pointed out by tools are ONLY false positives,
• If your project can commit to fixing new vulnerabilities within 60 days.

If you can NOT choose MET, select "UNMET" and update the description to indicate "Updated 2019-MM-DD." and an indication of why you could not choose MET.