They’re supposed to.

Instead they have a reputation for telling researchers that their disclosure isn’t actually a vulnerability and doesn’t qualify for a bounty or recognition, then quietly patching said non-vulnerability with a suspicious degree of urgency.