Skip to main content

Overview

VulnTrack supports three industry-standard vulnerability assessment frameworks:
  • DREAD: Risk scoring for prioritization (1-10 scale)
  • STRIDE: Threat modeling categorization (boolean flags)
  • CVSS: Common Vulnerability Scoring System (0-10 scale)
Scoring data is embedded in vulnerability records and calculated automatically when importing CVEs.

DREAD Scoring

DREAD is a risk assessment framework that produces a numeric score based on five factors.

DREAD Score Structure

interface DreadScore {
  damage: number              // 1-10: Potential damage if exploited
  reproducibility: number     // 1-10: How easy to reproduce the attack
  exploitability: number      // 1-10: Skill level required to exploit
  affectedUsers: number       // 1-10: Number/percentage of users affected
  discoverability: number     // 1-10: How easy to discover the vulnerability
  total: number               // Average of the five scores
}

Calculating DREAD Score

The total DREAD score is the average of the five components: 
const total = (
  damage +
  reproducibility +
  exploitability +
  affectedUsers +
  discoverability
) / 5

Setting DREAD Scores

DREAD scores can be set when creating or updating vulnerabilities: 
import { createVulnerability } from '@/app/actions/vulnerabilities'

const result = await createVulnerability({
  title: 'SQL Injection in Login',
  description: 'Unsanitized user input',
  severity: 'CRITICAL',
  dread: {
    damage: 9,              // Complete data breach
    reproducibility: 8,     // Easy to reproduce
    exploitability: 7,      // Requires moderate skill
    affectedUsers: 10,      // All users affected
    discoverability: 6      // Moderately discoverable
  }
})

// Total DREAD score: (9+8+7+10+6)/5 = 8.0

DREAD Interpretation

Score RangeRisk LevelAction
8.0 - 10.0CriticalFix immediately
6.0 - 7.9HighFix in current sprint
4.0 - 5.9MediumSchedule for next release
2.0 - 3.9LowFix when convenient
0.0 - 1.9MinimalConsider as enhancement

STRIDE Threat Modeling

STRIDE is a threat classification framework that categorizes security threats into six types.

STRIDE Structure

interface StrideScore {
  spoofing: boolean               // Identity spoofing attacks
  tampering: boolean              // Data modification attacks
  repudiation: boolean            // Denial of actions
  informationDisclosure: boolean  // Information leaks
  denialOfService: boolean        // Availability attacks
  elevationOfPrivilege: boolean   // Privilege escalation
}

STRIDE Categories

Threat: Impersonating a user, process, or system.Examples:
  • Session hijacking
  • Authentication bypass
  • Token theft
Violates: Authentication
Threat: Modifying data or code.Examples:
  • SQL injection
  • Parameter manipulation
  • Code injection
Violates: Integrity
Threat: Performing actions without accountability.Examples:
  • Missing audit logs
  • Unsigned transactions
  • Anonymous operations
Violates: Non-repudiation
Threat: Exposing sensitive information.Examples:
  • Data leaks
  • Verbose error messages
  • Insecure storage
Violates: Confidentiality
Threat: Degrading or denying service.Examples:
  • Resource exhaustion
  • Rate limit bypass
  • Crash exploitation
Violates: Availability
Threat: Gaining unauthorized privileges.Examples:
  • Privilege escalation
  • Authorization bypass
  • Role manipulation
Violates: Authorization

Setting STRIDE Flags

import { createVulnerability } from '@/app/actions/vulnerabilities'

const result = await createVulnerability({
  title: 'XSS in User Comments',
  description: 'Unescaped user input allows script injection',
  severity: 'HIGH',
  stride: {
    spoofing: true,              // Can impersonate users
    tampering: true,             // Can modify page content
    repudiation: false,          // Actions are logged
    informationDisclosure: true, // Can steal session tokens
    denialOfService: false,      // No DoS impact
    elevationOfPrivilege: false  // No privilege escalation
  }
})

CVSS Integration

CVSS (Common Vulnerability Scoring System) scores are automatically imported when creating vulnerabilities from CVE data.

CVSS Score Range

ScoreSeverityColor
9.0 - 10.0CriticalRed
7.0 - 8.9HighOrange
4.0 - 6.9MediumYellow
0.1 - 3.9LowBlue
0.0NoneGray

CVSS to DREAD Mapping

When importing CVEs, VulnTrack automatically derives DREAD scores from CVSS vectors.

mapCvssToDread

Converts a CVSS v3.1 vector string to a DREAD score. 
import { mapCvssToDread } from '@/lib/scoring'

const dread = mapCvssToDread('CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H')

// Returns:
// {
//   damage: 10,
//   reproducibility: 9,
//   exploitability: 9,
//   affectedUsers: 8,
//   discoverability: 9,
//   total: 9.0
// }

Mapping Logic

Maps from: Attack Vector (AV)
if (cvssVector.includes("AV:N")) exploitability = 9  // Network
if (cvssVector.includes("AV:A")) exploitability = 7  // Adjacent
if (cvssVector.includes("AV:L")) exploitability = 5  // Local
if (cvssVector.includes("AV:P")) exploitability = 2  // Physical

CVE Import with Scoring

When importing CVEs, scores are automatically calculated: 
import { createVulnerability } from '@/app/actions/vulnerabilities'

const result = await createVulnerability({
  cveId: 'CVE-2024-1234',
  title: 'Auto-populated from CVE',
  description: 'Auto-populated from CVE',
  severity: 'CRITICAL'
})

// System automatically:
// 1. Fetches CVE data from VulnCheck or NIST
// 2. Extracts CVSS score and vector
// 3. Generates DREAD scores via mapCvssToDread()
// 4. Checks CISA KEV (Known Exploited Vulnerabilities)
// 5. Adjusts exploitability to 10 if in KEV

KEV Enhancement

If a CVE is listed in CISA’s Known Exploited Vulnerabilities catalog: 
if (isKEV) {
  dread.exploitability = 10  // Maximum score for known exploits
}

Updating Scores

Scores can be updated after creation: 
import { updateVulnerability } from '@/app/actions/vulnerabilities'

const result = await updateVulnerability('vuln_id', {
  dread: {
    damage: 8,              // Revised down after analysis
    reproducibility: 9,
    exploitability: 10,     // Exploit code published
    affectedUsers: 7,       // Only affects subset
    discoverability: 8
  },
  stride: {
    spoofing: false,
    tampering: true,
    repudiation: false,
    informationDisclosure: true,
    denialOfService: true,  // New DoS vector discovered
    elevationOfPrivilege: false
  }
})

Scoring in Queries

Scores are included when fetching vulnerabilities: 
import { getVulnerabilities } from '@/app/actions/vulnerabilities'

const result = await getVulnerabilities()

if (result.success) {
  result.data.forEach(vuln => {
    console.log(`${vuln.title}:`);
    console.log(`  CVSS: ${vuln.cvssScore}`);
    console.log(`  DREAD: ${vuln.dread?.total}`);
    console.log(`  STRIDE Threats: ${countStrideThreats(vuln.stride)}`);
  })
}

function countStrideThreats(stride: any) {
  if (!stride) return 0
  return Object.values(stride).filter(v => v === true).length
}

Scoring Best Practices

When to Use Each Framework

1

Design Phase - Use STRIDE

During architecture and design, use STRIDE to identify potential threat vectors.
// Threat modeling a login endpoint
{
  spoofing: true,              // Could tokens be stolen?
  tampering: true,             // Could credentials be modified in transit?
  repudiation: false,          // Audit logs in place
  informationDisclosure: true, // Could passwords leak in logs?
  denialOfService: true,       // Rate limiting needed?
  elevationOfPrivilege: false  // Proper authorization checks?
}
2

Discovery Phase - Use CVSS

When vulnerabilities are discovered (via scanning, CVE, bug reports), record the CVSS score for industry-standard severity.
{
  cveId: 'CVE-2024-1234',
  cvssScore: 9.8,  // Critical severity
}
3

Triage Phase - Use DREAD

When prioritizing remediation, use DREAD to adjust for your specific context.
// CVSS is 9.8, but:
{
  damage: 9,              // High
  reproducibility: 8,     // Easy
  exploitability: 10,     // Public exploit exists
  affectedUsers: 2,       // Only affects admin panel (low user count)
  discoverability: 3      // Requires authentication
  // Total: 6.4 (downgraded due to limited exposure)
}

Combined Scoring Example

const vulnerability = {
  title: 'CVE-2024-1234: SQL Injection in API',
  cvssScore: 9.8,
  dread: {
    damage: 9,
    reproducibility: 8,
    exploitability: 10,
    affectedUsers: 3,  // Contextualized for environment
    discoverability: 5,
    total: 7.0
  },
  stride: {
    spoofing: false,
    tampering: true,
    repudiation: false,
    informationDisclosure: true,
    denialOfService: false,
    elevationOfPrivilege: true
  }
}

// Interpretation:
// - CVSS says "Critical" (9.8)
// - DREAD says "High" (7.0) after context adjustment
// - STRIDE shows 3 threat categories (T, I, E)
// - Priority: High (fix in current sprint)

Next Steps

Vulnerabilities

Create and manage vulnerabilities with scoring

Reports

Generate reports with scoring analytics

Build docs developers (and LLMs) love

Get started for freeTalk to us