That sentence is such a false dichotomy it's hard for me to take you seriously.
Is it evil to want to feel appreciated for your work? The message facebook is sending is that they honestly don't care if you find huge, potentially costly security holes in their software and go out of your way to let them no.
edit: It seems from reading other comments $4500 is actually quite reasonable. I was basing my comment on the author saying it was a "paltry fee".
You take a huge risk even notifying companies of a security flaw you found, since that usually implies you were doing unauthorized penetration testing and they'd have a case against you under the oh-so-wonderful CFAA. Or they'll just ignore you completely and never patch the flaw.