That is Intentional behavior in their Web Application, The reason is PyPI is the official Third party Software Repository of the Python. It is just like catalog of all Open source Python Packages. The .htaccess
Options -Indexes is not the problem here, as these are Open Source Packages and it's public faced so, anyone can go the Site and Download manually, if not than i could search the Same from my Terminal by pip search twitter
for example and it will List me the same number of twitter keyword packages which the pypi.python.org/simple has.
The Opensource deals like this, If you notice than the Ubuntu Repo, Debian repos Have no .htaccess
and you can easily read all the folders and sub-folders of the repo. Most Software providers and Open source community works in the same way, because there is no Harm in Information disclosure of an open source
as they are already open !! Another Reason is they can MIRROR all the content of the site packages and can use for Download if Problem in Main Repo persists.
I assume that, you are Referring to Hackerone's Python Internet Bug Bounty Program, and if you report this bug than surely it's a N/A there due to Intentional behavior