Security Radiation Effort : Understanding


I am implementing quality gate rules. One such rule i want to use is: Security Radiation Effort

This can be set to “Is Greater Than” and a Integer value.

I cannot find what that integer should be. The documentation does not help either:

Effort to fix all vulnerability issues. The measure is stored in minutes in the DB. An 8-hour day is assumed when values are shown in days.

Do you pass it in as minutes or days? e.g if

I put 16 as the value is it turned into 2 days


960 which is 16 hrs in minutes?


I advise against this.

Remediation effort is about how long (we estimate) it will take to fix.

Security Rating is about how bad it is.

Using remediation effort incents the wrong thing. It says: it’s okay to have a Blocker Vulnerability if it only takes 2min to fix. A Minor Vulnerability that needs an hour is a “Bad ThingTM” tho.

Instead, I would use the Security Rating. The docs may help.