At present Fisheye/Crucible official documentation lacks information about some features that could cause security issues, such as:

• No mention that the access logs are disable by default;
• No information about anonymous access being enabled by default;
• No information that repositories allow anonymous access by default;

Even in documentation these default settings is not stated clearly:

• No information about insecure default permissions on the key pages of the documentation: fisheye configuration, repo configuration.
• Security best practice page does not have any information about default insecure settings (default enabled anonymous access)