severity 63995 grave thanks A solution is available and it's trivial. Just conceal the addresses from the public web interface and mailing list archives, requiring authentication to access the full report. This is what's done in Ubuntu, Red Hat, XFCE, and about just any sensible project I know of.
And requiring another account or manually reporting each spam is not a solution. Firstly, another account is unnecessary and cumbersome, and secondly, reporting spam is not always possible nor effective to a regular user, and in some cases this "solution" takes just too much time and effort to be feasible. It's just common sense that you don't reveal email addresses publicly nor to spammers. This makes the BTS unusable to anyone who doesn't set up and use an email account separately and purposefully for that, and which handles spam effectively. Additionally, this goes against point 4. of the Debian Social Contract. Raising severity to grave accordingly.
