This password reset endpoint doesn't reveal whether an email/username exists — but the response time differs based on whether the account is valid.
Enumerate valid usernames by measuring response time.
Send requests with different usernames and measure the response time. Valid usernames take ~300ms (bcrypt check), invalid ones take ~50ms (fast reject). Use Burp Intruder or a script to enumerate. Valid users include common names. Try: admin to get the flag.