...
- severity - how serious are the consequences of the rule being ignored
1 = low (denial-of-service attack, abnormal termination)
2 = medium (data integrity violation, unintentional information disclosure)
3 = high (run arbitrary code, privilege escalation, significant harm by untrusted code)
- likelihood - how likely is it that a flaw introduced by ignoring the rule could lead to an exploitable vulnerability
1 = unlikely
2 = probable
3 = likely
...