Build a model to rate severity of security bugs #5622
Description
We couild build a model to learn sec-ratings for bugs and classify them, maybe getting started only for crash-stats bugs (which already have a significant volume by now).
We don't want to downrate bugs accidentally too often, we can use the models results to reduce false positives with lower severities: e.g. only assign a low severity when the confidence exceeds a certain threshold, but assign a high severity with a lower confidence threshold (since the cost of falselsy assigning low severity is higher than the cost of falsely assigning high severity).
In terms of features, other than the textual content of the bug, we could use crash metadata if there is a crash-stats link. For fuzz bugs, there is usually a textual attachment with e.g. an ASan trace (they either have the full crash data in comment 0 or there is a textual attachment with crash info, or both).