Then do it. Facebook has a great security team, but it's a huge product with a lot of code churn, and there are plenty of shits and giggles left to find. Hang up a sign on Twitter or here, something credible that you can't get out of simply by changing your name to "admiralfred" or "commodorefred", that says you'll pay $6,000 for a Facebook CSRF.
You'll get a taker. Nobody other than Facebook is bidding for these bugs, and you're promising to be the high bidder for a lot of them.
Hmm. Seems like Facebook should create some front entities and buy cheap exploits on the black market. Of course, perhaps they already do. Smart folks work there.
edit
Actually, now that i think about it, someone in the right situation could probably make a nice living for a few years buying cheap/obscure exploits for lots of companies that provide bug bounties and submitting them. Beer money at least, perhaps tuition.
Seems sort of on the scale of small time drug dealer. Illegal, very risky in the long term, but possible to get away with for a few years if you're cautious.
You'll get a taker. Nobody other than Facebook is bidding for these bugs, and you're promising to be the high bidder for a lot of them.