Comment 4 for bug 1435396

In attempting to determine whether this warrants a security advisory we should discuss the associated risks, intention, and any precedent it might set for issuance of future advisories. In essence, this looks like a potential detection bypass. In a multi-version-capable deployment a malicious actor could use the v2 API to hide role grant/remove activities in an effort to avoid creating an audit trail. This doesn't allow them to perform activities they would not normally be able. A few related questions to help classify this further:

Was this previously logged and then a regression introduced which caused it to stop logging, or was it merely added to the v3 API but never implemented for v2?

Is logging parity between API versions considered a security requirement, such that any new action logging added in newer API versions must necessarily also be included in earlier versions?

If we consider this a vulnerability, is there some standard we can consult identifying what activities must be logged so that any which aren't similarly qualify as vulnerabilities when we eventually discover them?