We noticed that Auth0 does not block Malicious/Suspicious requests from a specific IP when these requests are Password Reset requests. It works as expected for login requests though. We expect IP got blocked when there are too many not successful requests with password reset requests.
"date": "2022-10-10T18:49:34.145Z", "type": "fcpr", "description": "User does not exist."
Password reset endpoints are not included in suspicious IP throttling yet. Please communicate your use case with our Product team via the feedback page. Meanwhile, if you need to block a specific IP, please open a support ticket.