The OWASP Top 10 project uses the OWASP Risk Rating Methodology to rank risks on the list.

It looks like a good idea for the Serverless Top 10 project as well. I feel use of this risk rating scale needs to be explicitly evaluated for fit in the serverless context and clearly stated in the final report.

If we reach a consensus that this is a good risk rating scale, we can evaluate OWASP Top 10 risks in the serverless context, replacing the Serverless Risk Meter from the original report.