You knock on his door and let him know, he says "wow thanks for the heads up, I'll buy you a beer sometime"

You think to yourself, "A beer?? I just saved his car from being stolen-- that's worth a lot more than a beer"

A week later you walk outside and see he did it again. Instead of knocking on his door, you walk into the alley and tell a local criminal about it in exchange for 500 dollars.

This is essentially what you're advocating.

You have constructed an analogy so inapt that it threatens to suck all other dumb, unenlightening analogies on HN over its event horizon until it forms a sort of inapt hole from which dumb analogies could never escape.

Which would be a good thing, so good job!

Rather, it's a bank, and through your advanced knowledge of structural engineering, and at least several days of work, you find a weak point in the wall that would allow for easy, noiseless drilling, allowing their vault to be emptied in ten minutes.

I agree completely that Yahoo doesn't owe them a penny, and it would be reprehensible to find a "different market," as the grandparent alludes to. But it's not quite the same.

The analogy is a bit off, as 'a beer' is relatively good compensation for the disclosure of the car-key vulnerability, compared to the potential black-market value, and the potential loss to the owner.

With this example, it's more like you told your neighbor about his forgotten keys, and they gave you a nickle and a pat on the head.

By contrast, assuming the vulnerability in Yahoo's system took just one work week, their offer was $0.31/hr. That's 384 times worse than your neighbor giving you a beer for finding his key.

This is why your neighbor gets his key back for a beer and people are recommending black marketing Yahoo's vulnerabilities.