The whitehat page explicitly says that you must “not interact with other accounts without the consent of their owners” in order to qualify for the bounty. So yes, apparently Facebook can deny payment and suspend your account if they can reasonably suspect that you violated someone's privacy during bug discovery.
However, it seems that if you don't give them any clues in your report, they'll close their eyes and won't investigate carefully that possibility.
Well according to Facebook, "this is not a bug". Which means the feature works as intended. If he is using Facebook as it is intended, then how can he be breaking the TOS?
When an employee whose job it is to evaluate security issues says "this is not a bug", that determination carries the force of law the same way as if it appeared in the TOS. You cannot rely on people to follow some nebulous "spirit of the TOS" when meanwhile your employees have already made a contrary specific determination for how it applies to this particular bug.
They wouldn't paying him to violate the terms ... and it's not like Facebook has any problem with changing a user's privacy settings without permission - except I guess we probably somewhere in the agreements agreed to allow that, or not hold them accountable - probably both..
"Please use a test account instead of a real account when investigating security vulnerabilities. When you are unable to reproduce a security vulnerability with a test account, it is acceptable to use a real account, except for automated testing."