Before the current focus on security at Microsoft, all security bugs at Microsoft were rated using the DREAD model. DREAD is an acronym stands for:

  • Damage Potential
  • Reproducibility
  • Exploitability
  • Affected Users
  • Discoverability

When a bug was filed, the bug would be rated from 1-10 in each of these areas.