A member of the team in phpBB Spain, I report a possible bug, I said the following and try to translate it, but my English is not good.
It's a rather small data validation issue in the ACP that does a lot of damage.
In ACP > Board Configuration > Spambot countermeasures can modify registry values and Maximum Attempts connection attempts and put negative values, if you leave posts that users make them subject to error logging and you try have to solve the CAPTCHA.
Since the modules user registration settings and security settings if validating correctly.
This possible error is in includes/acp/acp_captcha.php file, i'm not sure...
set_config($config_var, request_var($config_var, $options['default']));
$request_config = request_var($config_var, $options['default']);
$request_config = ($options['default'] === 0 && $request_config < 0) ? 0 : $request_config;