If you have a project with an security scheme that has some default security level, then the CreateIssueHandler does not set the ticket to the default security level.

It does not set the security level at all.

This is a severe security issue and should be fixed asap.

In our setup this makes all issues created via email visible to all other customers. We have one support project shared by multiple customers. Each customer has their own security level, to show them only their own tickets. The default security level is now set to show the ticket only to the reporter and jira-developers.