<%= content_tag :div, class: 'page-header' do %>

DREAD score calculator

<% end %>

Use this page to calculate the DREAD score of a given finding.

Impact score: 0

Impact = (Damage + Affected)/2

Damage Potential

If a vulnerability exploit occurs, how much damage will be caused?

Sens. Data Infra. Phys. access
0 Information leakage that could lead to compromise of sensitive data or systems
1 The presence of this vulnerability contributes to other vulnerabilities being exploited
2 Sensitive data compromised Access to places with no critical systems
3 3 User account compromised System completely compromised Access to places with critical systems

NOTE: If vulnerability violates PCI compliance it is automatically marked as 3

Affected users or systems

How many users or systems will be affected if the vulnerability is exploited?

0 None
1 Less than half of the systems/users are affected
2 More than half of the systems/users are affected
3 All systems or users are affected

Likelihood score: 0

Likelihood = (Repro + Exploit + Disc)/3

Reproducibility

What kind of access is necessary to exploit this vulnerability?

0 Physical access to target machine
1 Valid credentials to the system
2 Same network as the victim
3 Internet access with no credentials

Exploitability

What is needed to exploit this vulnerability?

0
  • Advanced programming and networking knowledge
  • Custom or advanced attack tools
  • Depends on other vulnerabilities being present which have not been discovered
1 Requires victim’s intervention, possibly through social engineering
2
  • Tool or malware is available on the Internet
  • Exploit is easily performed
3 Just a web browser or no tools necessary

Discoverability

How easy is it to discover and exploit this vulnerability?

Difficulty Equivalent threat agent
0 Very hard to impossible; requires source code, administrative access or classified information Organized crime, inside job
1 Hard; requires partial knowledge of internal structure, or involves guessing Motivated attacker
2 Medium; details of faults like this are already in public domain and can be easily discovered using a search engine Script kiddie, curious attacker
3 Low; information is visible in a browser address bar, form, or readily visible or accessible in case of physical vulnerabilities Automated malware, accidental discovery

DREAD score: 0

DREAD = (Impact + Likelihood)/2

#[DreadValue]#
N/A


#[Damage]#
N/A


#[AffectedSystems]#
N/A


#[Impact]#
N/A


#[Reproducibility]#
N/A


#[Discoverability]#
N/A


#[ThreatAgent]#
N/A


#[Exploitability]#
N/A


#[Likelihood]#
N/A