> We look at the vulnerabilities and make an assessment.
1. If I understood correctly the contents of your reply, on what basis
does the Debian security team assess the severity of each security
vulnerability? What are those criteria?
2. Your latest reply implies strongly the possibility of the Debian
security team's assessments of security vulnerabilities differing from
those of the security teams of other popular Linux distros such as Gentoo,
Kali, ArchLinux, Ubuntu, etc. Am I correct?
As an example, ArchLinux issues a patch for a security vulnerability
CVE-2016-xyz with an NVD rating of medium risk. However the Debian
security team does not issue a fix for it.