A user contacted us complaining about the "thousands" of emails he had received from the Crowd "reset password" form.
we checked the logs and found that 398 reset requests had been entered and generated emails in ~10 minutes.
So we opened a ticket with our cyber security. Turns out it was their scanning of crowd that triggered it.
So we pointed out spamming our users is bad form.
While they will consider making an exception, they think the form "should be fixed". With a CAPTCHA or something.
We explained that that is up to the vendor.
Is adding CAPTCHA an option?
We looked to adding it our self and realized it would take editing the form and the .pom file for Crowd.