Yeah, it's pretty common. Some years back I reported a stored XSS vulnerability in an online marketplace with hundreds of thousands of users - a proper writeup with HTTP requests, proof of concept, impact, etc. No mention of bounties/rewards or anything like that - just a vulnerability report.

I made multiple attempts to report it to their security team/mailbox over a several months and never got any response or acknowledgement back from them. Then a few months later they quietly fixed the issue.