I went back and provided severity levels for the 72 oldest #curl CVEs as well (assessed manually) and now every curl CVE since the dawn of time has it set. The full list is here: curl.se/docs/security.html

Let me know if anything looks wrong.