Still, I think that the moral action (wherby "moral" I mean being disinterested and caring about outcomes for users) is fairly obvious in this specific case (Yahoo, has a good rep for taking security-issues seriously) - send them the patch that you have, regardless of compensation.
Yes, that's definitely more moral than my suggestion. However, you have to remember that not all "security researchers" are going to be so moral, and many of the more moral ones will simply not bother because they're not getting paid for their work. So users both gain and lose when you report an issue without compensation. It seems to me to be better to try to force the company into changing their policy, like what happened in this story. But it should be done without putting innocent users at risk (contrary to my original comment.)
Still, I think that the moral action (wherby "moral" I mean being disinterested and caring about outcomes for users) is fairly obvious in this specific case (Yahoo, has a good rep for taking security-issues seriously) - send them the patch that you have, regardless of compensation.