Cost estimator: security activities in the support period

Estimate the total cost of managing software vulnerabilities

This calculator helps you understand the labor and operational expenses associated with:

Tracking and fixing issues caused by vulnerabilities in third-party libraries
Tracking and fixing reports submitted by independent researchers
Holding mandatory periodic security reviews

Input Parameters

Scenario Name

Application parameters

These parameters determine how many vulnerability alerts you'll need to investigate from your software dependencies.

Libraries

Third-party libraries in your application. In 2022, the average java application depends on 40 third-party libraries. (source )

Vulns/Library

Average yearly CVEs per library. Default 5.31 based on industry research. (source)

Valid %

Percentage requiring action after triage. Default 25% accounts for false positives and non-applicable vulnerabilities.

Coordinated Vulnerability Disclosure Parameters

Coordinated Vulnerability Disclosure (CVD): external security researchers reporting vulnerabilities to you.

Reports/Year

Expected incoming reports. Default 120 assumes moderate visibility. Adjust based on your exposure.

Valid %

Percentage of valid, actionable reports. Default 10% reflects typical noise in public disclosure channels.

Security review parameters

Periodic security reviews to update your risk register and reassess vulnerabilities.

Hours/Review

Time per review session. Default 8 hours (1 day) for a quick assessment.

Reviews/Year

Frequency of reviews. Default 1 assumes annual review; increase for quarterly or monthly cycles.

Labor Costs

Time spent at each stage of vulnerability handling (see diagram above). I've added estimates for the different stages. Please note that (depending on your company), these estimates have to be adjusted.

Triage (hrs)

Initial assessment per alert. Default 0.5 hrs (30 min) for quick validation.

Fix (hrs)

Development time per fix. Default 4 hrs includes code changes and testing.

Release (hrs)

Time to release the fix. Default 4 hrs covers build, deploy, and verification.

Inform (hrs)

Communication time. Default 4 hrs for advisories, customer notifications, and documentation.

Hourly Rate ($)

Fully-loaded cost per hour. Default $150 includes salary, benefits, and overhead for a security engineer.

Results

Estimated yearly cost and effort

Effort estimate

119.4 mandays

955.4 hrs

Cost estimate

$143,310

Time/effort spent on third-party libraries

$111,510

Total vulnerabilities investigated:

212.4

Valid vulnerabilities addressed:

53.1

Total hours spent:

743.4

Show breakdown

Triage effort/cost:

106.2 hrs / $15,930

Fix effort/cost:

212.4 hrs / $31,860

Release effort/cost:

212.4 hrs / $31,860

Inform effort/cost:

212.4 hrs / $31,860

Time/effort spent on CVD Reports

$30,600

Total reports investigated:

120

Valid reports addressed:

12.0

Total hours spent:

204.0

Show breakdown

Triage effort/cost:

60.0 hrs / $9,000

Fix effort/cost:

48.0 hrs / $7,200

Release effort/cost:

48.0 hrs / $7,200

Inform effort/cost:

48.0 hrs / $7,200

Time/effort spent on mandatory security reviews

$1,200

Number of reviews done:

Total hours spent:

8.0

Show breakdown

Review work effort/cost:

8.0 hrs / $1,200

Get PDF Report

We'll email you a PDF with the full breakdown.