However, it seems that if you don't give them any clues in your report, they'll close their eyes and won't investigate carefully that possibility.
Lesson learned: Find a security hole, report it to Facebook, and they don't respond after two attempts? Sell it as a zero day.
Incentives matter. And there is always money to be had somewhere else.
When an employee whose job it is to evaluate security issues says "this is not a bug", that determination carries the force of law the same way as if it appeared in the TOS. You cannot rely on people to follow some nebulous "spirit of the TOS" when meanwhile your employees have already made a contrary specific determination for how it applies to this particular bug.
"You will not provide any false personal information on Facebook, or create an account for anyone other than yourself without permission.
You will not create more than one personal account."
"Please use a test account instead of a real account when investigating security vulnerabilities. When you are unable to reproduce a security vulnerability with a test account, it is acceptable to use a real account, except for automated testing."