> That is incorrect. Many bug reports are marked as private for security reasons.
Maybe you don't know how this works. Most (almost all) employees do not have access to these bugs, either. But community members can and do have access.
Early access to these reports can be worth literally millions of dollars in the wrong hands, and cause much more damage to our users. However, who gets access isn't decided by who gets a paycheck. It's decided by who is involved and participating and trustworthy. That can be literally anybody.
Bugs are also marked private without any security angle involved whatsoever. Often, these are related to initiatives done in cooperation with so-called "partners".
For an open source project, Mozilla appears to constantly settle on pretty shitty partners if it is true (as is alleged) that it's these partners that insist on secret communication shielded from any community interaction.
Such shady deals in smoke-filled backrooms are one of the small number of things that are hard to impossible to pull off in a community-driven project without constantly pissing off contributors.
Er... pretty much everybody in pretty much all industries prefer keeping their internal communications and their communications with their clients/providers private. Mozilla is one of the only industry actors who manages to keep most of its communications public.
Maybe you don't know how this works. Most (almost all) employees do not have access to these bugs, either. But community members can and do have access.
Early access to these reports can be worth literally millions of dollars in the wrong hands, and cause much more damage to our users. However, who gets access isn't decided by who gets a paycheck. It's decided by who is involved and participating and trustworthy. That can be literally anybody.