Security bugs are rated by specifying [sg:<rating>] in the "Whiteboard" field in bugzilla. For example, a bug with a Critical severity rating would be marked as [sg:critical]. You might also notice a [ws:<rating>] in the "Whiteboard" field which is used for our Web Applications. The severity rating system can be found on the [https://wiki.mozilla.org/WebAppSec/Web_App_Severity_Ratings Web Application Security Severity Rating] page.