I know this because my account is banned.
Why's my account banned? Because in 2006 I received an unsolicited phone call from somewhere in Nebraska claiming to be Paypal and informing me they needed to verify my account credentials. I played along with the obvious phishing attempt for a few minutes until they demanded the email and mailing address on my account to "verify I was the account holder". I told the woman on the other end to go fuck herself and hung up. Turns out it was Paypal and they banned me for failing account verification.
The training itself - if you're being verified, you should do the same of the caller - would have immense societal value.
- I haven't submitted to PayPal, but I do have a minor eBay XSS which I reported in May (eBay doesn't have a bounty program, but they do have a responsible disclosure policy: http://pages.ebay.com/securitycenter/Researchers.html). The last time I asked if the issue was patched I was told "Not yet. We'll let you know when this is resolved." This was in June, I haven't re-tested recently.
- When CCBill had a bug bounty program I was able to gain access to their admin panel because it was publicly accessible and linked to via a directory index. That followed a story similar to the one here (I reported it, it was rejected as a duplicate, I followed up about a month later when it still wasn't patched and they quietly patched it and paid me money)
- Yandex recently launched a bug bounty program. So far I've submitted 3 or 4 issues. I've only heard about one of them: it was marked as a duplicate, which is fine, but weeks later the issue still isn't patched.
That being said there are companies like Google, Mozilla, Facebook, Etsy, GitHub, Reddit, and many others which take responsible disclosure of security issues seriously. But it does seem like certain companies need to re-examine how they handle reports from external researchers.
If you're interested, I wrote about it here: http://blog.andrewcantino.com/blog/2011/12/14/hacking-google...