I once found a bug where I could access all of the names, addresses, emails, and phone numbers of all users for this new contest this company was running. I even found public announcements on Twitter. They told me this was a staging environment and wouldn't pay me. It clearly wasn't as the urls were linked directly to the announcement.
Another time, a company had an application that allowed other companies to run internal corporate training. I was able to get access to all accounts, information, and private rooms of all fortune 500 companies using it. They initially tried to get out of it by telling me they didn't own the application anymore (and immediately removed it from scope). I had proof it was in scope at the time I found the bugs (and even confirmed it before-hand with the platform).
Luckily, the platform I went through fought this and I got my payout...6 months later.
Even now, I have 50+ bugs that were triaged over the past year and the companies just sit on them and won't respond or pay out. Major platforms like Hackerone and Bug crowd don't seem to protect their researchers at all.
From the outside looking in, it seems that the community would applaud that behavoir, but I am not familier.