diff --git a/www/~/%username/emails/modify.json.spt b/www/~/%username/emails/modify.json.spt
index dff3c86915..da38b70824 100644
--- a/www/~/%username/emails/modify.json.spt
+++ b/www/~/%username/emails/modify.json.spt
@@ -48,8 +48,15 @@ if action in ('add-email', 'resend', 'start-verification'):
 
     participant.start_email_verification(address, *packages)
     if show_address_in_message:
+
+        # When reverifying an already-verified email (package claiming is a
+        # special case of this), then don't worry about content spoofing,
+
         msg = _("Check {email_address} for a verification link.", email_address=address)
     else:
+
+        # ... but otherwise, do: https://hackerone.com/reports/117187.
+
         msg = _("Check your inbox for a verification link.")
 elif action == 'set-primary':
     participant.set_primary_email(address)