Some companies intentionally Gray Rock security reports, because they neither want to attract attention by giving bounties, nor do they want attention for not giving bounties. If they just say nothing, the researcher usually just leaves them alone.

One could speculate that these companies want to pretend that infosec isn't a problem for them, and if they ignore the "problem", it will go away.