Why do several bug bounties ignore user enumeration?
Because they are already aware of the issue. This is evident of them making a mention on the exclusion list. Not mentioning it would likely lead to a lot of users pointing it out.
And since they are aware you might be wondering why they won't fix it. There really isn't a way to prevent it. If they restrict an email to one sign up they will have to inform the user why they cannot complete their registration if it has already been used. Or if a username is already selected, they would again have to inform them in an user friendly way why they cannot. So instead of taking out enumeration completely they will have to limit attempts, include CAPTCHA, or implement another plan to prevent abuse.
So when you have a known bug with no ability or intentions to fix it there really isn't any benefit to the company to pay out a bounty or receive reports on it.
In addition to @Bacon Brad's excellent answer above, I would like to include three more reasons as to why "user enumeration" is often listed under the "out of scope bugs" sections in security policies.
- Lots of bug bounty platforms have default policies which programs can use when launching. By default these policies often include a handful of frequently-reported low-severity issues including user enumeration.
- Programs usually don't want bug bounty hunters flooding their servers with requests so user enumeration falls under "brute forcing" — it's just a way of saying: "Please don't repeatedly probe for different usernames on our application."
- Bug bounty programs receive lots of reports, so it's really important to prioritise your triage team's efforts and minimise the number of low-priority reports to ensure the team can focus on critical issues. By excluding "user enumeration", the program can reduce a bit of noise and make the triaging process much easier. Of course programs still receive reports concerning issues that are listed in their policy as out of scope, but it still seems to work for the most part.