Sometimes you wonder
whether those paying bug bounties in fact only want to see the most obvious flaws discovered (the amount paid seems to indicate that).
Admittedly, it's a thin line, but the guy here discovered an already rumoured flaw (IRC tip-off), and by digging a bit deeper, he also revealed the severity and impact while finding other poor practices (passwords) along the way.
Has he possibly crossed a line? Maybe. But then again he didn't take the keys and went on to sell them. Instead it was immediately clear what Facebook needed to do: Fix the flaw, change all passwords, replace the keys he was able to access.
Rather than pestering him, they should have paid a substantial amount to encourage others to do the work for them. If you make their life miserable and pay them with petty cash, you only discourage the most talented white hat hackers to look at your systems, because they can earn more money elsewhere without being hassled.
The black hat hackers on the other hand will be more encouraged, because they can assume that fewer bugs have been discovered, which means potentially bigger loot for them. And that group of hackers will not tell you what they found. Pastebin will.