We have a Jenkins master in our production environment. 

I've observed that the Bitbucket Branch Source Plugin creates webhooks in Bitbucket repositories and uses specific endpoints in Jenkins for webhook notifications, such as:

• /bitbucket-scmsource-hook/notify
• /bitbucket-server-webhook/trigger

These endpoints successfully process webhook requests from Bitbucket without requiring any authentication (e.g., credentials, tokens). While this facilitates seamless integration, it raises the following concerns:

Observed Behavior:

1. The plugin creates webhooks in Bitbucket repositories automatically when a multibranch pipeline or Bitbucket project is configured in Jenkins.
2. Webhook requests to the above endpoints are authenticated implicitly, even when no credentials are configured.

Expected Behavior:

• Jenkins should authenticate incoming webhook requests using a api token or user credentials.
• The plugin should enforce secure communication to avoid unauthorized triggering of builds.

Why does the plugin allow unauthenticated access to these endpoints?