[borplk]

You are completely ignoring the fact that the reporter initially created massive negative PR for Facebook by posting on Mark's profile.

The bounty for Facebook is like a chocolate bar. They don't care about that.

And the message is not "thanks for working for us for free".

The message is "thanks...but next time remember not to exploit the bug you found".

The PR damage that he has caused for Facebook is probably many times greater than the bounty he was going to be paid.

He violated their terms of service and if Facebook just ignores the fact that he exploited it on two different users then the future reporters will expect that too.