Make it optional to provide vulnerability severity

spec.md

@@ -110,7 +110,7 @@ In case of such a multi-party vulnerability handling, all parties SHOULD agree o
 
 The Organization MUST publish all resolved vulnerabilities. Each Organization MUST publish a list of all publicly known Vulnerabilities in their products. This publication SHOULD happen on a web page and SHOULD offer a machine-readable version.
 
-The publication of the list of known Vulnerabilities takes a form of a list of their identification (one or multiple ones) and at least one link to a public resource describing this Vulnerability (at least the affected product and versions, affected configurations and a general description) and SHOULD include an estimation of severity of the Vulnerability. The Organization MAY include additional information.
+The publication of the list of known Vulnerabilities takes a form of a list of their identification (one or multiple ones) and at least one link to a public resource describing this Vulnerability (at least the affected product and versions, affected configurations and a general description). It MAY include additional information such as the estimation of severity of the Vulnerability.
 
 The publication MUST include a Vulnerability identification from a public database. It MAY include additional identification numbers from public and private databases.