There should be detailed logs for the following user actions. 1. If a user requests a password reset (forgot password), a log should be written with the requested account name and requesting ip address. 2. If there is a forgot password request and it expires, we should log that a user has attempted to access an expired password request. 3. If there is a successful password change, we should also log that a password has been changed (account name and IP address). 4. Failed attempts and Account Lockouts should be logged. (Separate from the current database logging)

This is not a security issue.

(In reply to comment #1) > This is not a security issue. Currently there isn't any tracking for this type of data. So I would say it is security sensitive.

(In reply to comment #2) > Currently there isn't any tracking for this type of data. So I would say it is > security sensitive. It doesn't represent a security risk to users--it's not a security hole in Bugzilla. There's no reason to keep this bug confidential.

I confirm it's not a security bug. Anyway, you are requesting several things in a single bug, which should probably have been filed separately. #2 I don't see why this would be useful #3 is already covered by bug 366178 #4 is already fixed by bug 355283, AFAICT