The standard and current registration flow in which a user submits account data (esp. email address and password) all to one form reveals whether or not a user with that email address exists.
This may be may attacks on user accounts easier, and users may not want their usage of bouts.app to be known. See OWASP's authentication cheat sheet for more information.
This will require having a mailer set up in order to send emails. The registration flow should look like:
Around MVP status, or before. It will be very similar to the password reset flow, so they should be implemented around the same time.
This is not a vulnerability, but a possible security and privacy enhancement.