How do you score each DREAD category (High/Medium/Low)?
Score each category 3/2/1 on one axis — how much harm and how easily an attacker can repeat, perform, reach, or find the exploit. High = worst case (total, effortless, universal, obvious); Low = best case (trivial, fiddly, rare, hidden).
* DREAD's five factors — Damage, Reproducibility, Exploitability, Affected users, Discoverability — each scored 1-3 and summed. *
The unifying principle: each DREAD category asks "how bad does this lean?" and you grade it High (3) → Medium (2) → Low (1). Damage grades how much harm; Reproducibility and Exploitability grade how easily an attacker can pull it off; Affected Users grades how widely it spreads; Discoverability grades how easily it's found. Always pick the row that best matches reality, then carry the number to the sum.
| Category | High (3) | Medium (2) | Low (1) |
|---|---|---|---|
| Damage | Full system compromise, admin access, upload content | Leaking sensitive info | Leaking trivial info |
| Reproducibility | Can be reproduced every time, no timing window | Requires timing window or race condition | Very difficult even with knowledge of the hole |
| Exploitability | Novice programmer can do it quickly | Skilled programmer can repeat steps | Requires extremely skilled person, deep knowledge |
| Affected Users | All users, default config, key customers | Some users, non-default config | Very small percentage, obscure feature, anonymous users |
| Discoverability | Published info explains attack, obvious feature | Seldom-used feature, requires thinking to see malicious use | Obscure, unlikely users will find it |
Go deeper:
DREAD (Wikipedia) — the five-factor model, its 1-10 vs 1-3 scoring variants, and why Microsoft later retired it for subjectivity.