There is probably nothing to worry about. Discourse will send that message to a user’s email address if someone clicks the “I forgot my password” link on the signup login form and enters the user’s email address into the form:
There is nothing preventing anyone from entering any email address into the form. This is standard practice for handling forgotten passwords on the web. The security feature that is built into this is that the password reset email is only sent to the email address that is entered into the form, so unless the person who triggered the email also has access to the email’s inbox, they will not be able to gain access to the site.
You might consider enabling second factor authentication on your Discourse account though. That will give you an added layer of security on the off chance that someone had access to your email account. You can enable two factor authentication from your Discourse account’s Security page. If you have any trouble setting it up, you can get some help with that on here.
It is unlikely you need to contact HackerOne about the issue. HackerOne is intended for people who have discovered a repeatable exploit in Discourse. I think what you are dealing with is the expected functionality of the “I forgot my password” form.
Edit: are you an admin on the site? If so, it’s possible that your email address is set in the site contact username
setting. That email address is displayed on the site’s About page. It would be easy for someone to pull it from there. Ideally, all site staff will enable two factor authentication on their Discourse accounts.