Oh by the way they refuse to pay bug bounties to researchers who find legitimate bugs and responsibly report them.
I've been denied multiple bounties for legitimate issues regarding Facebook that they ended up patching, but was always given an elaborate excuse as to why they wouldn't pay the bounties, which always ended up being entirely fictitious if not outright lies or misinformation. It is impossible to sue them over this, because they will throw a team of unpaid intern attorneys at the case so they don't have to pay these bounties, unless it is ordered by a court. It also costs money to bring charges against them, so they get away with it most of the time and receive free work constantly!
I still have the emails where they told me instead of filtering CSRF attacks in their system, all wireless routers in the entire world needed to be patched to prevent them... They then included the CSRF patches I proposed, into their filtering system... I was not paid or compensated in any form...
This is now a rampant business practice by Facebook, because they have been allowed to get away with it repeatedly.
Hackers and security researchers have now been selling the vulnerabilities and exploits on the black market to attain at least some form of compensation.
I mean they deserve to be paid something if Facebook isn't going to pay like they promised.
I see it as fair game and I hope FB get's devastated by the next black market exploit that gets released, by a security researcher who was pissed enough for not being paid to do actually do something about it.