I totally understand the policy, roc, but wouldn't it be nice to have something more than "You are not authorized to access bug #470487" when a user is trying to look up some of these bugs? All I know about that bug is it's a topcrasher, it must be exploitable (because it's hidden), as of two days ago the fix for it is not in the 1.9.1 branch (according to the platform weekly meeting notes), and it was reported seven months ago.
It might be nice if the Bugzilla page could give me at least some useful information. For example it should tell me the severity of the vulnerability and its status in the trunk and each of the release branches. Then I would at least be able to think about the risk rationally.