Username Enumeration as P5 #481
Description
I have some concerns about making username enumeration an automatic P5 / info. I think this is a mistake, especially for crypto programs.
Attackers actively use email validation tools (“Verified Mail”) to identify valid emails on crypto apps. These tools are sold for thousands on Telegram. Once an address is confirmed, attackers check for leaked passwords or attempt SIM swaps.
Crypto users are high-value targets. Knowing which emails are valid is often enough to get in.
I’ve submitted several reports like this. All were automatically closed. Based on the response timing, I'm pretty sure someone just saw the categorization and followed the rubric
The VRT says this is out of scope. The black market values it at $1–10K. That disconnect is wild.
References: