As I said in my previous response, this is intended to be a baseline. Yes, it is trivial to bypass by having a public export and/or updating on a regular basis. Many crates that are squatted do not do this, and I suspect that swmon (as an example) won't be going through to update their 100+ crates if a policy were put in place, given that there appears to be no way to contact them to take over the crate anyways (contrary to what the README says on crates.io).

This is by no means intended to be a catch-all for squatting; rather, it should be unquestionably clear as day that the name is being taken for no purpose.

I believe most of this could be automated to some level. Checking for zero public exports is doable, as is the six-month update requirement. At that point, a "claim this crate" form/link/whatever could be put up, letting a user initiate an internal process. The server could send the crate author an email (getting it from GitHub if available?), letting them know that if they don't respond, the crate will be transferred.

How would this allow for hijacking? Perhaps every version published should be required to be empty? That would eliminate any crate that used to be useful but no longer is.