It seems the default setting is to let the Guest user submit new bug reports (at least, I don't see how I could have ever set this setting to True). This is a security problem, because it completely bypasses the need for authentification, spammers can just submit stuff like that without needing to be moderated or to even create an account.

I tried to check if this was indeed the default setting, but couldn't figure out by looking at the code.

I agree that this shouldn't be the default, but it is not a security issue. You can change this in Administration --> Users & Permissions --> Usergroups --> Unregistered/Not Logged In [Edit] --> Can Submit Bugs --> NO.

Well, I would argue that default settings like this *are* a security issue. Unless you manually review everything before starting to use bugdar, it completely defeats the (expected) purpose of the user accounts categories. What's the point in distinguishing guests from registered users by default if both can post spam?

You don't see PHP shipping with register_globals = True by default, for example. The expectation is that the default setting is to be secure, and that if you enable it, then you know what you're doing. This is like Windows shipping with world-writeable folder shares by default (or something along those lines).