Thanks for the explanation. I set the severity to critical based on https://www.debian.org/Bugs/Developer#severities
"introduces a security hole on systems where you install the package." Your comment: " ... introduce a system-wide security flaw affecting users who do not directly use the relevant package ..." offers more information, and should be updated in https://www.debian.org/Bugs/Developer#severities At the time of reporting the issue, it wasn't clear what www.rhythmbox.org would become ( still not sure ). The main concern was if the link would point to some inappropriate content, which would be totally unacceptable from debian point of view.
