If you set a public bug to private, the bug # and description are still visible to unauthenticated/unauthorized users in the "Latest bugs reported" area of the project's overview page.
This is a potential information leak - if a user accidentally files a bug whose description should be private, the user can mark the bug private. Even if the user does this, the user has no way of hiding the description other than by changing it. This is not immediately obvious.
I suspect the issue might be that LP is caching the data on the project overview page; how often is the cached data refreshed? 20mins after marking a particular bug as private, I still see it on the overview page when using a browser session that is not logged into LP.
If the bugs on the overview page are artifacts of a stale cache, I suggest that marking a bug as a private bug or a security vulnerability be used as a trigger to flush the cache, ensuring that private things become completely private immediately.
To reproduce:
1) File a public bug on a project
2) Using a browser session not logged into LP, Navigate to the project's overview page, e.g. http://launchpad.net/foo . The new bug from step 1 should be listed in the "Latest bugs reported section"
3) Using a browser session logged into LP, make the bug private
4) Using a browser session not logged into LP, reload the project overview page. The description of the private bug is still visible. Clicking through to the bug from the over page shows a 'File not found" error page as expected.
Easiest solution would be to disable memcache : we still have timeouts
generating that view, and we should fix those separately.