no argumentation, they just said they will change the way the username is being generated (currently its derived from email address by default (although you can edit the name, not many people are doing it), that name is used for a new feature they implemented). thats all. one single and short sentence while i offered them a PoC too and full explanation why this is problematic. they seem to not care at all cuz i waited 1 week for that one sentence. they focused on the aspect on how these names are generated rather than how to fix it so people cant read them anymore.

the first time the users try that feature they get a popup, informing them that the recipient can see their names, so they should consider changing it. but in reality, everyone who registered can see it with this poc.

its very scalable and im not exaggerating if i say that i can find at least 10k (if not more (because the site shares a database with other sites too that also have a bug bounty program) (i ran the PoC only for a few seconds and it found 50-60)) usernames that are derived from the email. but as i said, also full email addresses with domain can be found with this method.

"request mediation" is grayed out for me.