Or negligence :-)

What if the billion dollar company has a responsible disclosure process and internal vulnerability management program and has just decided not to pay for unsolicited bug reports? Where is the negligence?