Skip to main content

Reviewing the Veracode Default Policies

Veracode provides default policies to make it easier for organizations to begin measuring their applications against policies. There are these two sets of default policies:

  • Veracode Transitional Policies: the default policies for all organizations and which are designed to set a minimum level for those initially adopting Veracode for application security programs.

  • Veracode Recommended Policies: the best practice recommendation based on Veracode Levels.

Veracode Transitional Policies

Veracode Transitional Policies are assigned to all of your applications by default and are the default policies for newly created applications. The policies emphasize performing an initial scan to establish the baseline quality of an application, and use the Veracode score (numeric score 1-100) as a progressive quality gate.


The transitional policies do not take advantage of the remediation grace period feature. With no grace period, the transitional policy functions like the existing Veracode rating system, where the score is effective as soon as the application is published.

Policy NameTarget VLMinimum ScoreScan RequirementGrace Period
Veracode Transitional Very HighVL190Any (Once)0
Veracode Transitional HighVL180Any (Once)0
Veracode Transitional MediumVL170Any (Once)0
Veracode Transitional LowVL160Any (Once)0
Veracode Transitional Very LowVL150Any (Once)0

Veracode Recommended Policies are based on the Veracode Level definitions. They are an option when you are ready to move beyond the initial requirements set by the Veracode Transitional Policies.

Policy NameTarget VLFlaw SeveritiesMinimum ScoreScan RequirementGrace Period
Veracode Recommended Very HighVL5No Medium or above90Static (quarterly)
Manual (annually)
Veracode Recommended HighVL4No Medium or above80Static (quarterly)0
Veracode Recommended MediumVL3No High or above70Static (quarterly)0
Veracode Recommended LowVL2No Very High or above60Any (semi-annually)0
Veracode Recommended Very LowVL1  Any (once)0
Veracode Recommended Mobile Policy   Static (quarterly)0