Are browser bugs which can result in arbitrary code execution after visting a web page still "medium", or should we assign "high" to them? My hunch is that the free lunch is over as far as Mozilla's code base is concerned, and that these bugs begin to pose real risks (soon comparable to those PHP application bugs).