Roundup allows you to request a password reset request
(/user?@template=forgotten). After stating an username Roundup confirms
this request with "Email sent to EMAILADRESS". This allows to tap addresses.

My rfe would be to change this to "Email send to USER@..." (by omitting
the domain) or simply "Email with password request has been sent."

Hi Luke,
thanks for the feedback.

Can you explain to me a bit more, how that "taping" of emails
is raising the risk? I mean, if you at all can tap the emails of the 
roundup-server, you'd probably would just tap all of them. And often 
you might already have an idea about the corresponding email domain of 
some users.

FWIW this has been reported at
http://psf.upfronthosting.co.za/roundup/meta/issue430 too.

Ezio, thanks for linking!
At least Loewis also seems to think that this is not an issue,
but a feature.

What is your take on the issue?

Bernhard, in msg4367 you seem to think that someone needs to get hold of
the sent mail to retrieve the address.
Clarification:
The email address is displayed as "Email sent to user@example.com" in
the web interface, even when just the username was entered in the
password reset form.

I consider this an information leak as it does not even use the
permission system, therefore upgrading to type security and severity
normal. I would even think that a higher severity level might be
appropriate.