Quiz Entry - updated: 2026.07.14
How do you calculate a DREAD score for a real vulnerability?
Rate each of the five factors 1/2/3, sum them, and band the total — e.g. stored XSS sums to 13 (High), a login timing leak to 7 (Low).
Walk through each DREAD factor and assign 1 (Low), 2 (Medium), or 3 (High), then sum.
Example — Stored XSS in a forum: an attacker saves a comment containing <script> so it runs in every visitor's browser.
| Factor | Score | Reasoning |
|---|---|---|
| Damage | 3 | Can steal session cookies, deface pages, redirect users |
| Reproducibility | 3 | Post comment with <script>, triggers every time |
| Exploitability | 2 | Requires knowing XSS syntax, but many tutorials exist |
| Affected Users | 3 | Every user who views the infected page |
| Discoverability | 2 | Input fields are obvious targets, but need to test for filtering |
| Total | 13 | High risk (12-15 range) |
Example — Timing attack on login:
| Factor | Score | Reasoning |
|---|---|---|
| Damage | 1 | Only reveals if username exists, not passwords |
| Reproducibility | 2 | Needs many requests, network jitter adds noise |
| Exploitability | 2 | Requires statistical analysis of response times |
| Affected Users | 1 | Only helps target specific users |
| Discoverability | 1 | Requires security expertise to identify |
| Total | 7 | Low risk (5-7 range) |
Process: Score → Sum → Prioritize. Fix High (12-15) first, then Medium (8-11), then Low (5-7).