The JIRA REST API makes it easy to harvest email addresses as an anonymous user. 1. Go to https://jira.atlassian.com/browseJRA-22053 as anonymous. Note that you can't extract email addresses from this page unless the user has used an email address as her username. 2. Now go to https://jira.atlassian.com/rest/api/2/issue/JRA-22053?expand=changelog, still as anonymous. The response contains the reporter email, as well as an email address for every history item. (!)
Whenever we return email addresses in the REST API we should use a [com.atlassian.jira.util.EmailFormatter|http://docs.atlassian.com/jira/latest/com/atlassian/jira/util/EmailFormatter.html] to make sure that they are masked as per the email display configuration.