I couldn't find any other post on stack exchange talking about this.
I have found a way to get a website to list all users and their names. Is this considered a vulnerability? This website does have a bug bounty.
I think this might be a vulnerability, because an attacker could enumerate the user list and test the top 3 passwords or something, then switch to another proxy and try the next account. I don't know if this is worth reporting or not, however.
So here are my questions: Is this a vulnerability? What is its severity? Is it worth reporting? And if it is a vulnerability, what other ways could someone exploit this?
Edit: This question is talking about actually being able to list every single user and their names. Not just being able to check whether or not a user exists. I don't know how to "unmark" this as a duplicate.