I am a security researcher and when I was fingerprinting one web application I found out that all the subdirectories of domain.com/pypi were accessible from the web browser. The main directory pypi returns 403 Forbidden when I try to access it but all the subdirectories are completely open and you can access and download any file from them.
The question is, should this be so? What risks does the access to those files have? Should this be reported in a bug bounty program?
That is Intentional behavior in their Web Application, The reason is PyPI is the official Third party Software Repository of the Python. It is just like catalog of all Open source Python Packages. The .htaccess Options -Indexes is not the problem here, as these are Open Source Packages and it's public faced so, anyone can go the Site and Download manually, if not than i could search the Same from my Terminal by pip search twitter for example and it will List me the same number of twitter keyword packages which the pypi.python.org/simple has.
The Opensource deals like this, If you notice than the Ubuntu Repo, Debian repos Have no .htaccess and you can easily read all the folders and sub-folders of the repo. Most Software providers and Open source community works in the same way, because there is no Harm in Information disclosure of an open source as they are already open !! Another Reason is they can MIRROR all the content of the site packages and can use for Download if Problem in Main Repo persists.
I assume that, you are Referring to Hackerone's Python Internet Bug Bounty Program, and if you report this bug than surely it's a N/A there due to Intentional behavior
