How is a vulnerability's severity determined?