I have noticed that when using Bots (Bot users to seed content) there is a major and potentially very embarrassing issue.
Assuming that community managers do not want the general community to know that content has been 'seeded'.
Currently, it is possible for ANYONE to enter the username and request a password reset. Now that will not lead to an actual email, but what it does do is reveal that the user is a bot... since the community email address is all but revealed (first character+ numbers@character ***.com
I think it would be far more prudent and secure if the usual - an email has been sent to the address on file was the message.
Apart from anything else, revealing any part of a user email address is in my opinion a huge security lapse. I hope someone will respond and address this with urgency.