Well, just pull up a CVSS calculator and start asking yourself questions and playing with it. As a fun game we would have people independently rate bugs on our Slack, mind you these are seasoned information security consultants that have broken a lot of software, and the ratings were hilariously far apart. Ask everyone to rate it low/medium/high/critical and consensus was pretty easy to achieve. Anyway the point is the criteria are quite subjectively. What comes out seems very quantitative, but it’s basically a pile of Jello in terms of how solid it is.