The Mortgage Calculator in homes.yahoo.net was vulnerable to Reflected Cross Site Scripting (RXSS) in multiple parameters. Reported to Y! Security in October 2013 and more recently resolved, this PoC was outside the Scope of the Y! Bug Bounty Program.
Y! Bug Bounty Scope
|XSS in homes.yahoo.net|
The domains and properties below are in the scope of the program:
All Yahoo and Flickr branded mobile apps.
All Yahoo and Flickr branded client side applications.
Yahoo Corp. recently established a Vulnerability Reporting Program (VRP) that met the criteria for our Reporting Bugs in Private. Companies don’t need to offer money, but its great when they do. Just having a Coordinated Vulnerability Disclosure Document and responding in a timely manner will often result in Private Vulnerability Reports being sent to a Target from Reporters worldwide.