Effective vulnerability management requires a standardized method for prioritizing risks. The DREAD model, originally developed by Microsoft, provides a quantitative framework to assess the severity of security threats based on five key categories.
The Five Categories of DREAD
DREAD transforms qualitative risk assessments into a calculated score. Each category is rated on a scale of 1 to 10.
Damage Potential
If the threat is exploited, how severe is the damage?
- 0: No potential for damage.
- 5: Information leakage or non-critical service disruption.
- 10: Complete system compromise, data destruction, or total service unavailability.
Note: Damage potential should consider both technical impact (data loss) and business impact (reputation, financial loss).
Reproducibility
How easy is it to reproduce the attack?
- 0: Nearly impossible, even for the original attacker.
- 5: Requires a specific, complex sequence of unsynchronized events.
- 10: The attack can be reproduced reliably every time (e.g., via a script).
Exploitability
How much effort and expertise is required to launch the attack?
- 0: Requires advanced knowledge, funding, and custom tooling (State-level actor).
- 5: Verified proof-of-concept code exists; requires some customization.
- 10: Automated tools are available; requires no skill to execute.
Affected Users
What percentage of users are impacted?
- 0: No users.
- 5: A specific subset of users (e.g., only administrators).
- 10: All users, including anonymous and authenticated users.
Discoverability
How easy is it to discover the vulnerability?
- 0: Hidden functionality; requires source code access to find.
- 5: Can be found by monitoring network traffic or guessing common patterns.
- 10: Visible in the UI or flagged by standard vulnerability scanners.
Calculating the Risk Score
The final DREAD score is the average of the five values:
Risk Score = (Damage + Reproducibility + Exploitability + Affected Users + Discoverability) / 5
Severity Bands
| Score Range | Severity Classification | Recommended SLA |
|---|---|---|
| 1.0 - 3.9 | Low | Fix within 90 days or accept risk. |
| 4.0 - 6.9 | Medium | Fix within 30 days. |
| 7.0 - 10.0 | High / Critical | Immediate remediation required (24-48 hours). |
Practical Application: SQL Injection
Consider a SQL Injection vulnerability in a legacy search form.
| Category | Score | Rationale |
|---|---|---|
| Damage | 9 | Allows full database dump and modification. |
| Reproducibility | 10 | Trivial to reproduce with a browser. |
| Exploitability | 8 | Requires basic SQL knowledge; reliable tools like sqlmap exist. |
| Affected Users | 10 | The database powers the core application for all users. |
| Discoverability | 7 | Common parameter structure; discovered by automated scanner. |
| Total | 44 | |
| Average | 8.8 | Critical Severity |
Compared to a Cross-Site Scripting (XSS) bug on an admin-only page: Damage (4) + Reproducibility (8) + Exploitability (5) + Affected Users (2) + Discoverability (3) = 22 / 5 = 4.4 (Medium).
This quantitative approach removes ambiguity and helps stakeholders understand why one bug takes precedence over another.