Neither here nor there regarding compensation, but if I were to describe this for the purpose of e.g. a resume, I do not think "I demonstrated a vulnerability allowing one to root a facebook.com server and thereby compromise any Facebook user" is an exaggeration. You're most of the way there, and while developing it further might be a fun exercise, from their perspective it should be a mostly forgone conclusion that you'll win.