BUT TODAY WE FOUND ANOTHER serious bug on our point of view.

Let's say we have 3 users in our organization

USER(A)-Director

USER(B) -Employee

USER(C)-Employee

USER(B) has his own lead (JOHN DOE with email  JOHN.DOE@AOL.COM) with which he is in contact and (as the email setting is on public), USER(A) can see his communications while USER(C) cannot, being at the same level as USER(B).

The first problem arise when USER(C) register another LEAD in the system that has the email  JOHN.DOE@AOL.COM, at this point USER(C) can see all the correspondance between USER(B) and JOHN DOE and even the emails sent from USER(A) to JOHN DOE.

This issue was solved by not allowing duplicates within the contacts as you suggested ... BUT !!!

If USER(B) converts his Lead JOHN DOE from LEAD to CONTACT then USER(C) can again register a new Lead with the email  JOHN.DOE@AOL.COM and here we are again, he can see all conversations.

I believe that this is due to the fact that LEADS & CONTACTS belongs to two different tables and so the system does not make crossing checks but is an unbelievable security bug.

Can you please help us in this?