i personally don't log bugs until i've been able to reproduce an error :).
i agree that it seems inappropriate that ArcGIS Server would ever choose to enforce security on a site when it wasn't previously enforced, but given the simplicity of resolving the problem, the behavior seems a lot more desirable than if ArcGIS Server chose to make sensitive resources public when it started up incorrectly.