The current reset form tells you if an address does not exist which is problematic if you are using your E-Mail to log in. By default you should get a message that an E-Mail was sent to that address regardless if the user exists or doesn't.
Would you be open for accepting a pull request for this issue?
I was about to create the same issue, so I will contribute with the OWASP guide which proposes a correct response:
If that email address is in our database, we will send you an email to reset your password
This does not address the whole story. Closing -- #1307 is tracking these issues.
Most helpful comment
I was about to create the same issue, so I will contribute with the OWASP guide which proposes a correct response: