Email Enumeration Vulnerability

Hello, I identified from one of your disclosed reports : the report #143291 that you added "security measures to help mitigate email enumeration" . However , I found a way to identify valid emails registered on Uber.com . I used the SIGN UP form to find if an email is valid or not. # Proof of concept : * Go to https://get.uber.com/go/ * Write anything in email , in password , in credit card info etc .. and put a fake PROMO CODE * Start intercepting requests using BurpSuite and click on "Create an account" * Save the POST request made to https://get.uber.com/signup_submit/ * Send this saved request to Intruder tool * Now you can brute force the __email__ parameter # How to know if an email is valid? * __Valid__ emails will return a response status __400__ * __Invalid__ emails will return a response status __406__ # The fine print I have tried to bruteforce the __email__ parameter more than 1000 times and I have not been rate limited. I have also attached the POST request I used and some screenshots proof of concept. Looking forward to hear more from you, Hussein