More likely report than find. From what I've seen of their current disclosure policies, and what execs have written on Y!Answers and such, they find the problem, they figure out who did it and how, and then after they've figured out how to fix it, they alert the userbase and the public - in that order.
Also, please do remember that we're getting into a different leadership team now at Yahoo; previously they were absolutely convinced that disclosure and alarmism were one and the same - and that any perceived weakness in the Yahoo Mail product would drive people to GMail.
