The vulnerabilities in Yahoo Mail, Messenger and its Flickr photo-sharing site qualified for bounties from Yahoo. To date, one has been paid through the HackerOne vulnerability disclosure program, a platform the company began using five months ago. To give researchers a new avenue to report vulnerabilities, companies such as Cloudflare and OpenSSL have also begun using the service over the last several months. The Yahoo Mail and Flickr issues took about eight months to patch they were found last November it took the Yahoo team nearly a year to patch the Messenger issue.
Source: https://threatpost.com/yahoo-fixes-trio-of-bugs-in-mail-messenger-flickr/107079/