LOGBOOK

HELP

Quiz Entry - updated: 2026.07.14

How do you calculate a DREAD score for a real vulnerability?

Rate each of the five factors 1/2/3, sum them, and band the total — e.g. stored XSS sums to 13 (High), a login timing leak to 7 (Low).

Walk through each DREAD factor and assign 1 (Low), 2 (Medium), or 3 (High), then sum.

Example — Stored XSS in a forum: an attacker saves a comment containing <script> so it runs in every visitor's browser.

Factor Score Reasoning
Damage 3 Can steal session cookies, deface pages, redirect users
Reproducibility 3 Post comment with <script>, triggers every time
Exploitability 2 Requires knowing XSS syntax, but many tutorials exist
Affected Users 3 Every user who views the infected page
Discoverability 2 Input fields are obvious targets, but need to test for filtering
Total 13 High risk (12-15 range)

Example — Timing attack on login:

Factor Score Reasoning
Damage 1 Only reveals if username exists, not passwords
Reproducibility 2 Needs many requests, network jitter adds noise
Exploitability 2 Requires statistical analysis of response times
Affected Users 1 Only helps target specific users
Discoverability 1 Requires security expertise to identify
Total 7 Low risk (5-7 range)

Process: Score → Sum → Prioritize. Fix High (12-15) first, then Medium (8-11), then Low (5-7).

From Quiz: SPRG / Mitigation and Risk Analysis | Updated: Jul 14, 2026