In order to get permissions working I had to pivot from using the hash
returned by Vulnerability.counted_by_severity to using a
VulnerabilitiesSummary pseudo-model and corresponding policy class.

I'm not sure I love this solution, especially since I'm now using
`public_send` to avoid having to hardcode each severity field in
VulnerabilitiesSummaryType.