Vulnerability in password protection

Adding an exception for a website in Online threat prevention requires a password (if it's set), but if you add an exception from the notification center or the blocked page notification, it bypasses the password protection and just adds the website anyway. Now, I'm wondering if this is intended or an actual issue but either way it sure is a problem in my case.