We also have a system for patching vulnerabilities which does not require a full code push. It has been useful on a number of occasions. (source: I patched this one)
Does Facebook usually respond to exploit reports so quickly, or does the fact that the discoverer (Stephen Sclafani) helped Facebook find bugs in previous years mean that his emails were automatically flagged as high-priority?
We try to respond to any exploit of this severity immediately, and will often disable a feature temporarily while working on a fix rather than letting the exploit remain open. It helps a lot when the repro steps are as clear as they were in this one.