In our instance of Jira we are using the security level field as the basis of our security scheme and we are able to control who sees security issues at various levels.
However, when a reporter creates a security issue, the summary and description of the issue are passed back to the reporter and potential watchers in a clear text email. Subsequent changes to the issue are also reported in emails. A diligent attacker could monitor such emails.
It would be good if there was a simple way to control the content of emails sent when the security level is set.
Our current workaround is to use an alternate notification system that allows greater control, but a simpler built-in solution would benefit all users.