Re: There is a difference
Agreed, something to keep in mind here is that in the 90s this kind of "research" would have just been "hacking" and it would all be illegal, and you'd just get prosecuted and thrown in jail if you were caught.
And what you are doing is exactly like the analogy of walking up to someone's door and trying to pick the lock. Its pretty enlightened that facebook and google and bug bounties and will tolerate these kinds of attacks as long as they're disclosed. If I found someone picking the lock on my door in the middle of the night, I'd just call the cops and get them arrested. I know that the locks on my doors can be picked because I've picked them before, you're not telling me anything I don't already know, and you're behaving like a burglar.
So, you've already got lots of leeway to probe into facebook and google and other companies like that in ways that would have gotten you into seriously hot water in decades past.
And the analogy of then going through someone's underwear drawer is pretty appropriate. I was going to say its like rifling through their fridge (I need to clean mine out, I think some chicken may have gone bad, I don't need someone to helpfully break into my house to inform me of that...)
It is extremely entitled to think that the bug bounties that companies out there mean that you have the right to attack their servers in any way you like as long as you disclose what you did.