You seem to be missing my point. I've repeated it in a bunch of other comments but I'll do it again here: You don't get points for "reaching out" when you don't spend a second to search for the right address to reach out to. Yahoo has a page dedicated to reporting bugs. If he had used that page he would have gotten a response. Yahoo has paid dozens of people for doing this https://hackerone.com/yahoo?show_all=true.
I'm not quite sure why you seem so sure he didn't also send an email to that address (or use that form)? I didn't read the article thoroughly, did he enumerate somewhere which ways of contacting Y! he tried?
if he had sent it to the other address, why would the person who responded pointed it out as the email to contact? If he had already sent an email to the Yahoo Security contact, why would he then be told to do the same thing twice?
