I am one of the developers using Auth0 in our application.
While there is no limit to the number of times a password reset email can be sent, there is a risk of malicious third parties sending unsolicited password reset emails if they know a registered email address.
What measures and policies does Auth0 have in place to address this issue?
I can’t find any specific measures for addressing this concern. If you’d like to make a feature request, that can be done here: #feedback.
Is this something you are seeing, or a hypothetical? Also, if bad actor has a known email address they can spam it without using Auth0. Is there a Auth0-specific concern outside of the added emails in their inbox?