You can demand whatever you want. You have no leverage.
You can't sell the bug to anyone else (there's no semi-anonymous liquid market for random serverside bugs in line-of-business software, so you're going to end up culpable for whatever the rando who buys it --- for much less than $7000 --- does with it†).
You can disclose to Twitter, but you can do that anyways; all you're doing is foregoing the bounty.
You can tell them "I found a vulnerability in sOmEtHiNg! But I'm not telling you what it is!" but Facebook is beset constantly by bogus bounty claims and they will blow you off.
You can give them a hint as to what it is, to vouch for the legitimacy of your finding, but Facebook has one of the better-resourced security teams in the industry, and they're just going to find it themselves and shut it down without paying you anything.
Part of being a good "agent" is understanding the market you're working in.
† Especially because to even try to put a valuation on the bug --- which, again, ~nobody wants to buy --- you'd have to actively exploit it to see what's on the target system, which is straightforwardly a felony.
You can't sell the bug to anyone else (there's no semi-anonymous liquid market for random serverside bugs in line-of-business software, so you're going to end up culpable for whatever the rando who buys it --- for much less than $7000 --- does with it†).
You can disclose to Twitter, but you can do that anyways; all you're doing is foregoing the bounty.
You can tell them "I found a vulnerability in sOmEtHiNg! But I'm not telling you what it is!" but Facebook is beset constantly by bogus bounty claims and they will blow you off.
You can give them a hint as to what it is, to vouch for the legitimacy of your finding, but Facebook has one of the better-resourced security teams in the industry, and they're just going to find it themselves and shut it down without paying you anything.
Part of being a good "agent" is understanding the market you're working in.
† Especially because to even try to put a valuation on the bug --- which, again, ~nobody wants to buy --- you'd have to actively exploit it to see what's on the target system, which is straightforwardly a felony.