I think some indication must be given to a legitimate user, as the user otherwise may not recall what email account to check. In the specific case of bugs.python.org, it may, in particular, be a sourceforge address.

If people are worried that users massively read out email addresses from the bug tracker, I'd rather rate-limit password reset operations by IP address, to one reset per hour. 

If users use this to research a specific email address of a specific user account, I'd rather not stop them from doing so. People who are too worried about revealing their email address should arrange to use a separate address for places such as the bug tracker.