Use CVSS terminilogy where necessary.

[EdOverflow]

Validation: As issues are reported, you'll need to review the reports to validate them. HackerOne will be performing initial triage to reproduce the issue and assign a severity. ^[1]

The CVSS score calculator on HackerOne only includes the CVSS v3.0 Base Score metric ^[2]. This is purely the technical severity; therefore, I would suggest either rephrasing that paragraph and mentioning the CVSS metric, or using the term "priority" as you did later on in the document:

Validation is complete when you have enough information from the reporter to implement a fix and assign it a priority, or enough information to dismiss it as not a bug.

[its-a-lisa-at-work]

Closing based on the decision made on 4/21/20 to close anything that wasn't a Major current Initiative or Notable mention from the Tech Portfolio Sprint Planning 2020-04-20 radiated intent in slack and open for discussion on reopening.