I have always thought that the “white hat security researchers” that find a flaw in a site or application that is commonly use and then go directly public so nefarious sorts can take advantage of the flaw before it is patched are doing it wrong. Facebook does too and if you want to get the big money that finding a flaw or security issue with Facebook pays out you have to keep the flaw secret until it is patched. Facebook is handing out debit cards to the researchers that find bugs.
The program that Facebook uses pays out not with a check, but with a pre-paid Visa Debit card, that has the White Hat Bug Bounty Program on the front. The idea is that the debit cards can be refilled with more bug busting loot when the researcher finds the next flaw. The researchers can use the card like a normal credit card.
They can also get the money out by creating a PIN number and using an ATM. Facebook pays very well to those that find and report bugs. The minimum is $500 and there is no max amount set. One researcher earned $2,500 for a single bug report and didn’t want the loot. Instead, he asked that the money be matched by Facebook and donated to charity, Facebook complied.