Security/VMT-Metrics
Introduction
The OpenStack Security Group suggests that when OpenStack Security Advisories are created by the VMT use the following metrics to score the potential impact of vulnerabilities on OpenStack Deployments
As with all scoring systems this will not be universally applicable but will provide basic guidance to the severity of each vulnerability.
The OSSG has adapted the DREAD metric as a basis for OpenStack vulnerability impact assessment. We adapted each of the scoring categories to better reflect the impact of a vulnerability in a cloud context.
DREAD
DREAD scores five categories, which are summed together and divided by five, the result is a score from 0-5 where 0 indicates no impact and 5 is the worst possible outcome:
Risk = (DAMAGE + REPRODUCIBILITY + EXPLOITABILITY + AFFECTED USERS + DISCOVERABILITY) / 5