This is self-entitled bullshit. If you (not you, but people in general) want to make a living off of reporting bugs, then get a job in the field, or know which companies are explicitly paying bounties. How is that expectation of a reward anything more than blackmail?
You're coming at this all wrong. Take a step back and think about the users. Imagine your a Yahoo user and you learn that a hacker finds an exploit to take over accounts and tries to submit it to the company. They in tern send him a tshirt a friendly smile and a handshake. What does that tell you about the company? Does that make you feel like your account, data, etc is secure and more exploits will just be handed over?
It's not about the money, it's about sending a message. And instead of chaos and people wearing masks, we've got vulnerabilities, and the idea the Yahoo actually values its users.
