Does anybody ever address the fact that you have to violate the TOS of most sites (even if unintentionally) to do any white hat discovery in the first place?

Edit: though I do believe that reporting systems with bounties like those you linked are exactly the way to compete with the black market for vulnerabilities.

The problem is how can you be sure they will treat you nicely?

I will grant you tarsnap is pretty safe since it is a one man operation and Mozilla and Chromium are both depending on the goodwill of the community, but Facebook is company which has been pretty aggressive in the way it shits over its users (I can remember about 3 or 4 privacy debacles).

I guess you have to trust that the company wouldn't go to the trouble of setting up a program (and making payouts) if it were going to treat vulnerability reporters poorly. I think treating them poorly is generally a pretty bad long-term plan though, because of the negative light it casts the company in, the lack of future responses it will garner, and the hostility it may bring out (hello, Sony).

Do you feel like Facebook has ever "shit over" legitimate security researchers? I can see if I can help if you have examples.

I wasn't involved with that situation at all, but I don't think it involved any responsible disclosure of a security vulnerability.