Assigning a severity meter to security vulnerability is not so unambiguous always. One good real-life example is recently fixed Mozilla Firefox Deleted Object Reference Code Execution Vulnerability (aka “contentWindow.focus()” vulnerability).

Some examples of published advisories and their severity levels in alphabetical order:

Mozilla’s own MFSA 2006-30: Critical (4/4)
Bugzilla entry #334515: critical

Securident Technologies, the researcher: no severity level assigned

CA: Low (2/5), Overall Risk [more info here]
FrSIRT: Critical (4/4)
OSVDB: no severity metric in use
Secunia: Highly Critical (4/5)

SecuriTeam: no severity metric in use
SecurityFocus: no severity metric in use
SecurityTracker: no severity metric in use
US-CERT: 7,87 (0..108)

The CVSS meter of National Vulnerability Database says 3.7, i.e. Low. [more info here]

The variation is huge, very huge. Additionally, Secunia elevated the severity from Not Critical to Highly Critical today.
One short conclusion: How is it possible to assign a ‘Low’ severity when PoC code is publicly available.. Yes, I’m aware that code execution was proved by MFSA recently, but however..

Best,
Juha-Matti