Some tickets, examples: T208491, T208518 are ignored by stashbot. If you mention them on IRC it does not react to them.
They are public tickets but for some reason stashbot thinks they are security tickets, due to this code:
https://phabricator.wikimedia.org/diffusion/LTST/browse/master/stashbot/phab.py$56-57
< bd808> yeah, the both is logging them wiht notices like "Exception: Task T208518 is a security bug.",
If something private actually gets caught in that check then something has already failed. stashbot should not be given (or left with) access to private security tasks.
Semi-hysterically the task that this was discussed in is itself non-public (T180081). The problem reported there is that Stashbot can unintentionally disclose bugs marked as security issues if @Stashbot has somehow been added as a subscriber to the task. This happens because typically the security acl allows subscribed users to see tasks that they otherwise do not have access to. @Stashbot can end up subscribed to such tickets if they start as public, have a !log message associated, and then sometime later are converted to be private.
If we ever get around to building something for T152729: Integrate Stashbot better visually with Phabricator that keeps @Stashbot from becoming a subscriber automatically to each task it updates then we should be able to remove the extra check. Until then I really think this is a WONTFIX, but it is useful to leave open so folks might find it when deciding to report the same bug.