It seems bugzilla installs all cgi scripts to /var/www/html/bugzilla. I find this rather non-optimal. Shouldn't these go somewhere _outside_ DocumentRoot, and then be ScriptAliased in httpd.conf? One example might be /var/www/bugzilla. Also, it seems the html example files in contrib weren't included. I'd suggest installing them somewhere, perhaps %doc or elsewhere. They're good for reference and testing, at least, and now you have to dive for the source right away.
isn't this a security thing? I'm not really into web stuff, but I read every now and then that CGIs should always be outside DocumentRoot and ScriptAliased, as you outlined. Perhaps changing it to severity "security" is appropriate?!
This will not be fixed due to the fact that this the way the Mozilla Bugzilla team has been doing for quite some time. Yes you are correct that normally cgi progs should go outside the document root but there would be substantial changes to be made for Bugzilla to work this way since it was designed from the beginning to reside in a single directory of its own. With proper permissions and well done code, it shouldnt be an issue in this case.