When someone gets a password reset email from us these days, it does not contain an "if you did not request this password reset, click here to cancel". This sort of language is becoming pretty standard; Facebook says
"Didn't request this change?
If you didn't request a new password, let us know immediately [LINK]."
Key to note: the "let us know immediately" doesn't actually have to *do* anything; it still reassures people just by existing. (I'm bringing this up because one of our outside counsels forwarded me an email and asked "what should I do?"; having a link like this would have reassured him.)
Marking this minor because the lack of this does cause some consternation for users, and isn't best practices, but isn't a security bug per se.
Version: unspecified
Severity: minor