The trouble with your first point is that companies won't go for it; no point in having HackerOne around if no one will use their platform. It's a tricky problem; let's solve it with AI and Blockchain!
Why not divide the payout? The companies paying will pay the same amount, just divided among all the reporters. They already do the work of identifying duplicate reports. Maybe it could be weighted to pay more to the first reporter.
As far as not doing it. At some point critical industries may be have to be regulated to force them to behave responsibly.
As far as not doing it. At some point critical industries may be have to be regulated to force them to behave responsibly.