> They just can't pay him for having demonstrated a vulnerability by hacking someone's account.
I don't see why that is. They already provide the following caveat:
> When you are unable to reproduce a bug with a test account, it is acceptable to use a real account, except for automated testing.
So I don't think there's some kind of legal issue there, if that's what you mean. And you could provide other caveats, like, "you can use a real account if no one is listening to you" (I grant that this may not have helped here either).
I'll reiterate what I said above, which is that the policy is fine, as long as everyone recognizes that it has a strong potential to reduce the security of Facebook. And that ought to raise some sort of alarm, right?