<i>"This wouldn't happen if Yahoo had a Vulnerability Reward Program"</i><p>As much as I support these kinds of programs (<a href="https://nealpoole.com/blog/responsible-disclosure-programs/" rel="nofollow">https://nealpoole.com/blog/responsible-disclosure-programs/</a>), that's a false dichotomy. Some companies have responsible disclosure policies or vulnerability reward programs. Some companies don't.<p>Anecdotally, the companies that do have programs don't inherently respond more quickly or handle reports better (ie: <a href="https://nealpoole.com/blog/2013/04/experiences-with-the-yandex-bug-bounty-program/" rel="nofollow">https://nealpoole.com/blog/2013/04/experiences-with-the-yand...</a>, <a href="https://nealpoole.com/blog/2013/03/csrf-persistent-xss-in-my-ebay-com/" rel="nofollow">https://nealpoole.com/blog/2013/03/csrf-persistent-xss-in-my...</a>). In contrast, companies that don't have programs may still be very responsive and willing to work with researchers; I reported issues to GitHub, Etsy, and Facebook before their respective programs were in place and they always responded quickly and effectively.<p>It comes down to the people who focus on security at the company and the way in which security is prioritized. If your company doesn't value and prioritize security, a responsible disclosure program won't make anyone's life easier.<p>In that sense, I do think that companies can and should do a better job of working with security researchers, regardless of whether they have a responsible disclosure program or vulnerability reward program in place. If a company takes security seriously, it should make it easy for researchers to report vulnerabilities. Researchers shouldn't feel that their reports are being sent into a black hole: if they do, they'll be less likely to spend their time reporting issues in the future.