I found an information leakage vulnerability on a company website and I found that the information includes all the usernames of the users.
I also observed that the application uses a lockout mechanism that locks out users after 5 attempts for 30 mins.
So will this lockout be considered a vulnerability?
Yes, account lockout is not a vulnerability but will the information leakage increase the severity of the problem or not?
I would consider this a serious vulnerability. This can lead to an attack where the attacker can lock out every single user for 30 minutes.
Unless the company have a VPN in place, or other protection mechanism, it would be possible to download the entire user list, throw bogus passwords at all of them, and lock the entire company out.
They can even keep this in a loop and essentially deny access to all employees for a long period of time.
I would look at it the other way around:
Does knowing the list of users increase the severity of an attackable account lockout mechanism?
Usernames are generally not random but based on people's names, so even without specific knowledge you can enumerate likely usernames (based on a dictionary of common names) and rapidly submit them to trigger lockouts on any that are valid.
A lockout system can and should protect against such attacks, for instance by locking out or rate limiting requests from a single IP address regardless of the username attempted. This only needs to slow the attacker down enough to make enumerating impractical.
Knowing the list of usernames reduces the size of dictionary which you need to enumerate. That might be enough of a boost to make the attack practical, but it depends on how many users you need to target, and what measures the system has in place to slow you down.
Knowing the usernames might also aid you in targeting high-value accounts without triggering other protections, but those usernames could probably also be guessed from public information about key staff members, so again it's a small boost not a radical change in attack.
