Comment 6 for bug 1470740

As a general rule projects should try to mask/redact potentially sensitive information even for DEBUG-level logging, but there are still so many instances of this throughout OpenStack that we rely on recommendations like the red warning box you see at http://docs.openstack.org/developer/horizon/topics/deployment.html#logging to make sure deployers know that setting production service logging to DEBUG or sharing their logs of the same is potentially dangerous. If there is no general OSSN yet with similar recommendations, I agree it's a great addition.

So yes I expect this is a bug, and should be fixed to improve the overall security posture of our software, but fixing it won't elicit a security advisory from the vulnerability management team and may not get backported to older releases unless it can be done very, very cleanly to avoid adverse operational impact.