Define terms such as "risk" and "impact".

[EdOverflow]

[1] We don't have a formal way of defining "risk" or "highest"; this was simply a "gut feel" decision. [2] As above, with s/risk/impact/. ^[1]

By defining these terms you can hopefully mitigate any potential confusion. You can see how I handled terminology on my HackerOne security policy:

📚 Terminology

The term "severity" is frequently used interchangeably with "impact" or "priority". This section defines my terminology in order to prevent any potential confusion. I use the Oxford Dictionaries' definition [2] of "severity" and Information Technology Infrastructure Library's definitions [3] of the two latter terms.

Severity

> The fact or condition of being severe.

Impact

> A measure of the effect of an incident, problem or change on business processes. Impact is often based on how service levels will be affected. Impact and urgency are used to assign priority.

Priority

> A category used to identify the relative importance of an incident, problem or change. Priority is based on impact and urgency, and is used to identify required times for actions to be taken.

Whenever I triage a report, a CVSS v3.0 Base Score metric [4] is set which evaluates the technical severity of the reported issue and allows me to prioritise the fix. Once a patch has been submitted and verified, I will then evaluate the total CVSS score by including the Environmental Score. [5]

[its-a-lisa-at-work]

Closing based on the decision made on 4/21/20 to close anything that wasn't a Major current Initiative or Notable mention from the Tech Portfolio Sprint Planning 2020-04-20 radiated intent in slack and open for discussion on reopening.