Last year we reported a vulnerability where a default option in Salesforce orgs allows browser session hijacking. They came back telling us that it wasn't a bug, but working as intended, and that bugs like that aren't part of their bug bounty program anyway. Then when we found a public salesforce forum post from eons ago where a salesforce employee confirmed this bug/feature and tweeted it to our clients, they kicked us out of the bug bounty program for disclosing vulnerabilities.
