I don't know if this qualifies as a bug or not, but it seems to be somewhat of a problem to me.
To reset a password, all you have to know is your e-mail address right? So if someone has their e-mail address shown as public, then someone else could reset their password for them and force them to check their e-mail and enter in the new password. Plus they could do this to harras them as often as they liked.
If it were me, the solution would be to have some kind of security question like a lot of places do, mothers maiden name, or something like that, to prevent just anyone from being able to reset someones password.