Facebook has a bug bounty program with a minimum payout of $500, but as the very direct language in their responsible disclosure policy attests, they do not tolerate mucking about with production data: if you comply with the policies when reporting a security issue to Facebook, they will not initiate a lawsuit or law enforcement investigation against you in response to your report.
The amount of information available for their program is minimal. You'll find a side-by-side example of a submission report and an improved version, with some non-qualifying vulnerabilities, but not much in the way of universal lessons or professional tips.
As the legalese signals, Facebook is very sensitive to misuse of its platform – especially given recent increased scrutiny. And because so many exploits will be aimed at affecting users, it's critical to stop short of writing any code that could subvert an account.