Regarding your question about the bug category, it seems like the focus is primarily on accessing sensitive user information without their interaction or consent. If any additional details about users are revealed in a similar manner—like viewing private messages or account settings—those would likely also fall under this category, especially if they compromise user privacy or security.

As for associating an email with a username, if you find a method that allows you to easily correlate the two without proper authorization, it's worth reporting. Even if it's not a direct breach of sensitive information like passwords or email addresses, it could still pose a risk to user privacy. It's always better to err on the side of caution and inform the relevant parties about potential vulnerabilities.