I have four bugs. Bug One depends on Bug Two which depends on Bug Three which depends on Bug Four. Bug Two and Bug Three are private. If I view the dependency tree for Bug One, the 'View as bug list' contains a link to Bug Four. This should not be because the user is unaware that Bug Two depends on Bug Three.
An example of this is at the tip:
The bug list link contains Bug Four.
IMO, that's not really a security bug. You still cannot know what the security bugs are about. I agree that once a bug you cannot see is found, the recursion should stop at this point.
And actually, this bug is known for years and is public.
*** This bug has been marked as a duplicate of bug 370883 ***