Discoverability signifies how easy it is to learn about the vulnerability. A threat that is very difficult to uncover would be rated lower than one that has already been disseminated in the public domain.
Many security professionals believe that discoverability should not be part of the model because the overall threat ranking should not be affected by this factor. Security by obscurity is a weak security control and it is not wise to consider a security risk less of a threat simply because it is difficult to discover.
Some practitioners use a DREAD-D (DREAD minus D) model and eliminate discoverability altogether. Alternatively, a development team can assign the maximum rating for discoverability for each threat, which effectively removes it as a factor.