This is as clear cut a case of full exploit with escalation of privilege all the way to full services source code read access, SSL private keys, full admin AWS credentials, services API keys from Twitter to analytics, email server logins, the list goes on.. all of this without even looking at a single user profile or violating user privacy, and it's not a legit security bug? This has to be worth more than $2500, and I think Facebook sets a bad precedent where folks won't disclose big security issues because of how unclear the TOS are, so that they can avoid embarrassment.