Although, Mr. Shreateh did not follow the Facebook TOC to the letter, as written by Facebook's legal team, he did operate in good faith, according to the Yahoo article, quoted below. Whether or not Facebook legally owes Mr. Shreateh $500 + change or not, the potential PR costs and being "cheap" image is one I would hope does not attach itself to Facebook - leave that to Walmart.

"So when a security researcher named Khalil Shreateh from Palestine found a bug that let him post stuff to other people's Walls, he reported it to Facebook.

That bug is a spammer's dream. To prove his bug was real, Shreateh posted something to Sarah Goodin's wall, a friend of Facebook CEO Mark Zuckerberg.

He then contacted Facebook's security team with the proof that his bug was real, he explained in a lengthy blog post. Facebook has a bounty program where it pays people to report bugs instead of using them or selling them on the black market. In this case, instead of fixing the bug and paying the researcher the $500+ fee, Facebook told him "this was not a bug," according to an email that Shreateh shared.

Shreateh says he tried a second time to warn Facebook and when that didn't work, he used the bug to post a message to Mark Zuckerberg's Wall."