They had one I reported Oct 2010, took a while to convince was an issue and they finally fixed a few months after saying they would. The URLS for attachments to private issues in private repos were guessable and publicly accessible if you guessed right (ie no authentication for them).
Issues always happen. It is how they are handled that makes the difference. I've not paid close attention to Github but it appears they react responsibly and quickly.
With my issue it seemed like Bitbucket was a one man shop and I suspect that if I had thrown a fit things would have happened quickly. Jesper was attending pycon and I was fine with addressing it after that, but then it was not promptly attended to afterwards. I have no records of how long it took to fix but it was at least several weeks and may have been months. He did dispute "easily guessable". (The Bitbucket service at the time was also overwhelmed with languishing tickets.)
In my own view, private data being accessible no matter how improbable is always an immediate issue. Issues that initially seem improbable get turned into the probable very quickly by the bad guys who are far more imaginative.
But as I said this was late in 2010. I have no idea if the culture of Bitbucket has changed since then or is better.
The URLs were like this https://bitbucket-assetroot.s3.amazonaws.com/<username&#...
Obviously a bit tedious to guess for humans, but no big deal for computers.