There should be a checkbox in the additional comments
section that flags the comment as internal or external
(confidential or customer viewable etc) Only people with
valid logins/permissions can view the internal comments
(much like the way the reporter's username is **** when
not logged in)