You may have noticed in SA-2008-069 for CCK that it names specific permissions required to exploit the vulnerability. Often in the history of Drupal's security announcements we have simply stated that there was a weakness and that it was a certain level of "critical."
Starting with this release we are testing out the idea of also stating specifically what kind of permissions are required to take advantage of a bug.
One extension of this point is whether or not we should even make an SA for certain situations. For example, if a weakness can only be exploited by users with the "administer site configuration" and "administer users" access then they are already going to be able to do a lot of really bad stuff to a site beyond just XSS. There's no need to do XSS if you can give yourself permissions to delete every piece of content.
So, what do folks think. Should the security team follow the normal confidential fix and public SA process for bugs that are only exploitable by highly privileged users?