Props to Facebook for being so responsible about fixing this bug. After seeing so many blog posts about companies not responding to emails from whitehats finding XSS vulnerabilities (http://www.troyhunt.com/2012/08/why-xss-is-serious-business-...), it's comforting to see someone take such reports seriously.
This is the point of responsible disclosure. Tell the company, wait a week or whatever, if they do nothing, then it's ethnical for you to tell the world.