- I haven't submitted to PayPal, but I do have a minor eBay XSS which I reported in May (eBay doesn't have a bounty program, but they do have a responsible disclosure policy: http://pages.ebay.com/securitycenter/Researchers.html). The last time I asked if the issue was patched I was told "Not yet. We'll let you know when this is resolved." This was in June, I haven't re-tested recently.
- When CCBill had a bug bounty program I was able to gain access to their admin panel because it was publicly accessible and linked to via a directory index. That followed a story similar to the one here (I reported it, it was rejected as a duplicate, I followed up about a month later when it still wasn't patched and they quietly patched it and paid me money)
- Yandex recently launched a bug bounty program. So far I've submitted 3 or 4 issues. I've only heard about one of them: it was marked as a duplicate, which is fine, but weeks later the issue still isn't patched.
That being said there are companies like Google, Mozilla, Facebook, Etsy, GitHub, Reddit, and many others which take responsible disclosure of security issues seriously. But it does seem like certain companies need to re-examine how they handle reports from external researchers.