If you run a large web service, how much is it worth to you for vulnerabilities to be reported directly to you, versus being sold on the grey market to someone looking for an exploit?
That is a question you should be asking when you decide to post bounties. It is not a question you should be forced to ask after someone goes and finds vulnerabilities all on their own without your knowledge and then comes to you and asks for payment unbidden. That is called extortion.
You're right. As a result, white-hats should spend zero time with Yahoo (as the company in the article has indicated they will). The result of that is that only black-hats will be finding Yahoo vulnerabilities. Not a good end result.
What should happen is that Yahoo should have bounties in the first instance. They don't have to, but not having them leads to a bad outcome for everyone except black-hats.
