All CVSS v3 Issue types have a Low Severity despite of their Criticality

Question

Why the following Issue Types have a Low Severity starting on July 24th, 2024?

"Critical Severity CVSS v3.0 Service Vulnerability in Last Observation"
(service_vuln_host_v3_critical)
"High Severity CVSS v3.0 Service Vulnerability in Last Observation"
(service_vuln_host_v3_high)
"Medium Severity CVSS v3.0 Service Vulnerability in Last Observation"
(service_vuln_host_v3_medium)
"Low Severity CVSS v3.0 Service Vulnerability in Last Observation"
(service_vuln_host_v3_low)
"Critical Severity CVSS v3.0 Vulnerability Patching Cadence"
(patching_cadence_v3_critical)
"High Severity CVSS v3.0 Vulnerability Patching Cadence"
(patching_cadence_v3_high)
"Medium Severity CVSS v3.0 Vulnerability Patching Cadence"
(patching_cadence_v3_medium)
"Low Severity CVSS v3.0 Vulnerability Patching Cadence"
(patching_cadence_v3_low)

Answer

The Critical/High/Medium/Low in the Issue Type name reflects the CVSS rating, not the SecurityScorecard Severity. CVSS is a measure of Vulnerability Severity while the SSC Severity is a measure of Breach Risk.

In Scoring 3.0, the severity has been calculated based on our data-driven approach of correlation to breach. Our Data Science team assessed over 15,000 breaches to identify a correlation to breach and Issue Types. These findings were originally left as Informational when Scoring 3.0 was introduced back in April. After collecting more data, we are ready to score these. According to our data, we have observed that these issue types have a low risk for breaches and hence have decided to move all these issue types under "Low Severity/Breach Risk".