Not trying to play devil's advocate here but any vulnerability researcher must understand that finding flaws is only half of the job. You must also be able to successfully explain and make understand each flaw to even non-technical people or your work is somewhat worthless.

Now it's true that one can expect a reasonable technical skill from the Facebook person reviewing your bug submissions, but they also, as they stated, go through a lot of invalid and spurious submissions a day.

So in case you are hoping for a reward, you better make your submission as clear as possible before going mad and go public. Also you should at least retry and send additional details before giving up on them (reports do not mention whether the researcher "repeatedly" tried to explain the vuln to them.

IMHO the lack of patience from the researcher illustrates he really does not care about making Facebook (or anything) more secure. Only money drives him. This is perfectly acceptable but no quite the image for raising money as if he were a true whitehat.

This is indeed true specially for popular companies with rather mature SecOps that pay minimum wages for vulnerabilities that are indeed hard to find or require a pretty darn good skill level to discover. Some of them even only offer swag in exchange of finding serious threats such as persistent XSS or authentication bypass. They maybe feature the researcher in some blog post to publicly thank him and attract the wannabe crowds.

Having said that, I myself have participated in several of these programs (with varying success) and come to realize that probably Google and Facebook are the only VRPs currently paying reasonable wages for bugs in terms of cost efficiency for the researcher.

On the other hand, some of us just enjoy from time to time trying to find security bugs for fun (maybe because we are huge nerds) so these programs offer a great opportunity to test things and not risking ending up in jail.

"If the QR idea takes hold memorials will be able to tell much more to future generations."

Not necessarily. QR codes are only links to other resources, they can't hold useful information by themselves. The availability of the information depends on the provider of the content they refer to.

Considering current situation with XSS prevalence, javascript obfuscation techniques and content filters bypassing, this will only make matters worse

While one can arguably say everything can be hacked (unless air-gapped), in certain scenarios you can at least mitigate the impact of a breach to make it almost irrelevant.

Easiest example is password storing. Some SQLi may get through and provide someone with a dump of your user passwords, but if you follow up to date recommended security practices, the data will be nearly useless.

Beind said that, just by reading the Web Application Hacker's Handbook and following all of its recommendations you will have a pretty secured app.