AFAIK there's no way to do this reasonably. We could probably add specific members of that project to the ticket individually though.

Would it be possible to create a global Herald rule? If task is on project Znuny and Security add subscribers: acl*otrs-admins, in all other cases, do nothing (or individual members of the project). I feel it'd be more appropriate to have the Visible-To field updated but I don't think that can be done easily. Recent testing (T150278) showed that subscribers of a given project can see the task (Herald don't allow to alter visibility policies don't it?). In this case since the project is a closed one, the risk of leak is nonexistent (unless bad faith from any of us which is unlikely). If you could add me to the ticket I'd appreciate it. Thanks.

I don't think Herald is able to change visibility policies. If it were, I imagine upstream would find a way to break this as, as far as I know, they don't allow an object's project list to change visibility policy.

(added @MarcoAurelio to the specific task mentioned)

Is this why {H310} was created?

No, H310 has no conditions or actions related to hidden tasks.

Global herald rules should be able to add subscribers through. A solution would be to introduce a herald rule, which would add acl*otrs-admins as a subscriber to all restricted tasks tagging OTRS. I'm not sure if that's desired, through. I'd imagine Security-Team would triage similar tasks appropriately, and grant access on-needed? I'm tagging the sec team, so they can voice their opinion.

In T154133#2902770, @Krenair wrote:

If it were, I imagine upstream would find a way to break this as, as far as I know, they don't allow an object's project list to change visibility policy.

There is at least one local modification in place to do this for PermanentlyPrivate, see: T242638. When that tag is added to a task, etc, it overrides the existing visibility policy. And removal of the tag is limited to privileged users.

In T154133#6539680, @Urbanecm wrote:

I'd imagine Security-Team would triage similar tasks appropriately, and grant access on-needed? I'm tagging the sec team, so they can voice their opinion.

We didn't have a clinic meeting this week (US holiday) but we will on October 19th. I'm not sure we'd have an issue with anything proposed above as 1) We do not normally triage acl*otrs-admins -tagged items as, AFAIK, the Security-Team still views the Phab acl* groups as being member-managed unless something incredibly egregious was attempted 2) as mentioned above, regarding various automation proposals with Herald, etc, we already do something similar for PermanentlyPrivate.

In T154133#6539680, @Urbanecm wrote:

A solution would be to introduce a herald rule, which would add acl*otrs-admins as a subscriber to all restricted tasks tagging OTRS.

For the records, this will not be possible anymore once T303829 will get fixed