Vulnerability Removal Effectiveness

Description

Vulnerability Removal Effectiveness (VRE) is the ratio of pre-release vulnerabilities to total vulnerabilities found, pre- and post-release, analogous to defect removal effectiveness. Ideally, a development team will find all vulnerabilities before the software is shipped. VRE is a measure for how effective the team’s security practices are at finding vulnerabilities before release.

Definition

Pre-Release Vulnerabilities divided by total number of Pre- and Post-Release Vulnerabilities in the software, at a point in time.

Data Collection

Derived from Pre- and Post-Release Vulnerabilities metrics.