If you give us a reasonable time to respond to your report before making any information public and make a good faith effort to avoid privacy violations, destruction of data and interruption or degradation of our service during your research, we will not bring any lawsuit against you or ask law enforcement to investigate you.
Only question -- who decides on what is "reasonable time", because something tells me its not a hacker, its Facebook itself.
"reasonable whatever" is often used in laws/courts/contracts. Lawyers and judges are used to interpreting this. If Facebook were to sue you, you could start talking about it as part of your defence.
Additionally, Facebook needs to be seen to be reasonable and have a proper 'whitehat' policy. If they start being mean and dictatorial here, then there will be a breakdown in social trust. People won't report bugs to Facebook, people will sell vulnerbilities on the black market. People will release exploits before telling Facebook. It will, eventually be bad for Facebook.
I'm under the impression that FB's whitehat program is active enough that submitters don't experience the notification black hole that has required crackers to raise awareness by broadcast elsewhere. That is, "reasonable" has a way of taking on concrete meaning when the site/company actually responds.
I imagine FB requests that details of the vulnerability are kept private until they have informed the discoverer that they are happy for it to be published.
Only question -- who decides on what is "reasonable time", because something tells me its not a hacker, its Facebook itself.