Facebook has implemented a fresh security vulnerability disclosure policy. The social-media behemoth finds a bug in another platform s code, the project has 90 days to remediate before Facebook goes public. The policy dictates that Facebook will first find the appropriate contact (an open-source project-maintainer) and then will contact that person appropriately (via emails, bug trackers, support tickets and so on) Facebook said it would coordinate disclosure with the impacted developer, either publicly or to specific people or companies using the project.
Source: https://threatpost.com/facebook-third-party-vulnerability-disclosure-policy/158976/