We expect that bugs filed against security-audit are not yet public so it would be better that it is restricted to the security group by default. K_F agreed on irc about this change. Thanks.
I'm not aware of such an option in Bugzilla. If you are, please let me know how to do it. Otherwise, all I can do is defaulting *all* bugs in Security product to be restricted by default.
security-audit project is dead and security bugs are able to be made confidential. No need for this.