The solution to this problem is defined in the linked issue (CWD-1875).

How about captcha challenge?

This is a trivial denial-of-service attack. Knowing someone's username should not let you reset their password.

Some sort of password-change-confirmation rate-limiting would be usful (e.g. it doesn't send more than one per day, reset when the user changes passwords).

Secret questions a terrible idea, if only because they will almost certainly be used wrong.

Currently, if Google Apps is integrated with Crowd and the Crowd account is using the Google Apps email, the application will be in a "locked out in any case" scenario.

A solution suggested by one of our customers is the following:
To add some other kind of confirmation for reset password feature.
For example, Crowd could ask user to answer some secret question before resetting password.

The situation can get worst if Google Apps is integrated with Crowd and the Crowd account is using the Google Apps email.

I see two important facets to be analyzed:

1. The Reset Password feature is provided in case a user forgets his password. If the feature is used by the user (in an hypothetic situation), it means that he is already locked out of his Google Apps account and therefore would not be able to login into his Gmail account to see an "reset password email" as suggested. So, If the user need to use this feature in the future, it means that he will be already locked out of his email account also.

2. An email with the "reset password" option was suggested. However, to be able to login into Gmail, the user mustn't have any problem with his account password. In this case, logging into the Crowd Self-Service console would be enough to allow the user to change his password, since the account has no problems yet.