I agree with that completely, however, common-sense should have told him that demonstrating an exploit on third-party was a really dumb idea. It has nothing to do with TOS or language barriers.
I think it's more telling that the lack of professionalism displayed by an unemployed developer is the focus, and not the fact that an unemployed developer with a lack or professionalism discovered this hack. This could have been exploited so much worse than it was. Just because he didn't follow unwritten rules of disclosure, doesn't mean that Facebook didn't majorly mess up here. The details of the dev and his behavior are quite trivial, in this case.
Someone in another thread pointed out that that page doesn't get translated when you set the language to Arabic, seems likely that the guy just couldn't understand the whitehat TOS for that reason.
I don't view that as a valid excuse not to follow the rules. Admittedly, I don't know any other language than English. But if I was setting out to participate in a bounty program run by a company that didn't have their website in my language... I would most certainly make sure I had someone to tell me what the rules are. Other people have condemned him for not knowing English. I don't fault him for that. But there is no excuse for not knowing the rules.
You still haven't explained why this matters. Facebook has a lot more responsibility than this developer. Get off your high horse. Even if Facebook wrote down these supposed "rules" they have no authority to enforce them (other then in relation of their supposed bounty program), so it's a moot point.
It matters because Facebook created their bounty program and created the rules around it. They absolutely have 100% authority to enforce them. There is nothing supposed about either the rules or the bounty program. They are not hypothetical. They both quite obviously exist and links to them prove their existence. I don't really follow what you are arguing. The developer has the responsibility to follow the rules of the program if he wants to participate in the program. He did not. Facebook has the responsibility to enforce the rules of the program. They did. So... yes... this is all moot.
You brought up the rules of disclosure... not me. And you said they were unwritten... so I was trying to let you know that they are, in fact, written. If you were not talking about the bounty program then I have no idea what rules of disclosure you are talking about and I'll move on.
That is why he isn't getting paid (yet?)