Even large companies depending on how you want to classify one as "large". Back when Palm announced their new phone, the Palm Pre, I was given early developer access on their developer portal. I reported to them multiple security vulnerabilities including one that allowed anyone to change a simple integer in the URL and instantly see everyone's SSN / TIN, payment information, etc. It took them 3 months to fully resolve, too (their first fix was simply changing a GET call to a POST, sigh). They never even disclosed it to anyone despite my pleas (I should have but was still sorta green back then and didn't think it through).