Note: I was at one point the top bug reporter for Yahoo! If they do this to me. They are very likely to do this to you.
Yahoo Remote Code Execution CMS
Our committee finished reviewing your reports and found that most are not eligible for a bounty under our new rules that were released a month ago, on January 4th. I will be marking all as not eligible and will issue a $500 bounty for the exposed repos and privileges gained from that.
In an additional note, the dev team had found that the SSRF reports were not actually valid. The SQLi and RCE reports were found not to be eligible because they did not demonstrate any privileges that were not already accessible with the cms credentials. Also, the SQLi and RCE reports exhibit behavior that is mentioned as not acceptable in the new rules.
I also wanted to ask if you have some time next week (less than 30 mins) to talk a little more about the bug bounty program and to see what types of products/services you may be interested in testing as part of the VIP program.