This topic is frequently discussed in blogs, with a great many variations on what is right and wrong, the pitfalls, and assumptions.
In brief, the severity of a defect is extremely hard to identify unless the cause of the symptom has been fully explored and implications considered on a wider level. Severity is very subjective; for who is the symptom severe? How frequently? What are the risks to data, security, reputation etc.? How can severity be fully determined by looking at a symptom? A severe symptom may require a very easy low risk fix, or a minor looking symptom may actually be masking an extremely damaging cause that has dire consequences elsewhere.
Priority is simply identifying which defects should be fixed or investigated in which order, but according to whose needs?
The key issue is the Triage process.
A tester or developer may raise the defect on a tracking system ...