H1 used to have a mechanism where researchers could push to make raised issues public if a ticket was ignored or marked as wontfix.

That was a good way to keep companies honest, an implementation of responsible disclosure.

So H1 could implement that again. It doesn't get them a bounty but it does stop companies pretending reports don't exist, if that's what has happened here.

If you have a Squid RCE, what prevents you from getting a CVE for it, writing a blog post, and announcing on Twitter?

HackerOne has threatened to ban researchers who disclose responsibly.

H1 is somewhat unlikely to ban someone who holds a real RCE in Squid for months and then publishes it, because H1 needs those people on its platform. Most H1 bounty people are just running scanners to find DKIM quirks.

I think the conversation about whether H1 is problematic or not is a fine thing to have at the top of the thread. I can see people going either way on that question (bear in mind that it has as much to do with idiosyncrasies of each of H1's customers as it does with H1 themselves).

Remove that bogus program from their plattform at the very least?