The login username of users is revealed all over the place (in URLs that link to user profile, or user's list of assigned open bugs etc).

This seems to be a big security risk, because you have given away half of the user identification to strangers.

Anybody can look up a user in the issue tracker and find out what username they have (possibly on an external system, LDAP or otherwise).

Instead, you should be using an internal userid for these links.