There’s a market rate for vulnerabilities in highly trafficked websites. If you want people to give you the bug report instead of selling it to zero-day gangs or governments then you need to pay the market rate. You can expect a small discount because selling the bug to you is ‘doing the right thing’, but if you’re not paying more than a tee and you want to attract the people that go out of their way to discover issues then you’re automatically on the back foot.
Roughly similar to a guy that walks through your neighborhood jiggling door knobs and asks for $100/house when he discovers an unlocked door or disabled alarm system otherwise he will report it to his burglar friends.
Not at all similar to that. Ignoring the fact that the characteristics of residences and a very high traffic website with an enormous user-base are vastly different, your argument relies on the discoverer of the vulnerability choosing one of two paths: get paid by the company or get paid by nefarious people.
A third option is to choose neither because the discoverer doesn't think it warrants his or her time to report it. Reporting a security vulnerability requires more than just sending an email. Meanwhile, others who have discovered the same vulnerability may be selling access to it and a company like Yahoo has no idea until severe damage has been done.
Assuming they spent effort to discover the vulnerability the idea that there is a 3rd option where it is suddenly not worth their time to report it makes little sense.
