Congrats. This is exactly how responsible disclosure is supposed to work. You spend valuable time looking for holes and when you find one they fix it quickly and compensate you for your trouble.

That's awesome. Congrats to making the money, and raising the issue correctly - as well as not going off of the ethical deep end.

Out of curiosity, how much time did you spend on this?

I spend 4-5 hours a week hunting for bugs.

The "session" I found this bug in was around 2 hours long.

Were you able to do this all with the dummy accounts that Facebook provides for the Bug Bounty program or did any steps require a genuine account? Just curious as I always wonder whether there are bugs that affect genuine accounts and not dummy accounts or vice-versa.

That's awesome.

Also sounds like you should maybe try to move to a different country, if you can!

He'd probably be better off staying where he is and courting customers in the US and UK. The combination of a low cost of living and a metropolitan income (or as close as possible) is a splendid combination.

Probably worth $500k to government actor.