Forgive us (non-facebook engineers) if we don't take your (single rank-n-file engineer) anecdotal experience for official company policy when there's a public documented case of the head of the department doing otherwise.
Based on FB's official rebuttal, he had mentioned his company affiliation on the bug bounty portal account and had used a company email address for the communications. To me, this indicates that he was acting in an official company capacity.
Further, they didn't reach out to the CEO of the company until after he'd exfil'd data from the IG S3 bucket outside the scope of the bug report to try and leverage a bigger payout.
I have no reason to doubt any of that.
There's a lot of negatives about working at Facebook, but a lack of professionalism is not one of them.
