The estimate in one line
Each finding MergeGuide catches before merge is counted as a finding not triaged, reproduced, or remediated in production. We credit a conservative number of hours saved per pre-merge finding, by severity, and sum across your findings.Hours credited per finding
| Severity | Hours saved per pre-merge finding |
|---|---|
| Critical | 6 |
| High | 3 |
| Medium | 1.5 |
| Low | 0.5 |
Where the numbers come from
The figures combine two published anchors:- The phase-cost multiplier — defects found after release cost substantially more to fix than defects found before. The IBM Systems Sciences Institute data (via Boehm, Software Engineering Economics, 1981) and the NIST Planning Report 02-3 (Tassey, 2002) put the post-release multiplier in the range of roughly 5×–30×. We apply the low end (5×) so the estimate is hard to overstate.
- Median pre-merge engineer-fix time — drawn from the Veracode State of Software Security v14 (2023) and the Ponemon / ServiceNow State of Vulnerability Response (2023).
Published sources
| Source | Year |
|---|---|
| IBM Systems Sciences Institute (via Boehm, Software Engineering Economics) | 1981 |
| NIST Planning Report 02-3 (Tassey, RTI International) | 2002 |
| Veracode State of Software Security v14 | 2023 |
| Ponemon / ServiceNow State of Vulnerability Response | 2023 |
| OWASP Application Security Verification Standard (ASVS) | — |
What the estimate excludes
- Post-incident costs — customer communication, audit, breach notification, and regulator disclosure are not included.
- False positives — only findings you fixed or acknowledged as true positives count. Suppressed and dismissed findings are excluded.
- Customer-specific promises — the figure is a general, industry-grounded heuristic, not a guarantee of your organization’s results. Compare it against your own incident-response and cycle-time data.
Next steps
Dashboard
Where the estimate appears.
PolicyMerge savings
How the compliance savings estimate works.