That seems fine. This wasn't a responsible security disclosure, they're not punishing a whistleblower. Publishing an extension to the Chrome Web Store that lets anyone exploit the bug is NOT the responsible way for anyone to "highlight" a security issue unless normal channels have repeatedly failed (which was not the case here), let alone someone who is working for them.
> Publishing an extension to the Chrome Web Store that lets anyone exploit the bug is NOT the responsible way for anyone to "highlight" a security issue unless normal channels have repeatedly failed
I think that's the core behind responsible disclosure. If I was management at facebook - I would be perfectly fine if he published a paper about it after we patched the bug (in fact I would encourage him to do it) - but not create an exploit allowing N number of people to use it then tell me about it.
Edit: changing point of view
If someone told me about an exploit in one of my sites - I might even pay him a small reward.
There is of course those who are completely out of touch with reality and completely ignore legit issues. Never forget the Super Meat Boy incident of 2010 [1]. That has actually made me stop playing their games - because it makes me uneasy to think they were sitting in the kitchen table or office and thinking "it would be a great idea if we connected directly a MySQL server to query custom level data!" - and not at least find someone to bounce that off of to wonder why other people aren't doing that.
I disagree. This was not a security vulnerability; this was just a poor product decision made by Facebook (that had major privacy implications). The phrasing of their update a few weeks later supports that it was a conscious product decision since the beginning.
This developer highlighted a privacy issue with Facebook's product with a public proof of concept - it's no different than other proofs of concept built by the EFF et al. Facebook decided to react to it by being idiots, but that's not too surprising anymore from their behalf.
This wasn't a security disclosure at all - Facebook knew that this information was available but didn't see it as a problem. The "problem" was that somebody tried to make the public aware of how it worked.
"Noticing a lack of significant public response to the visible nature of geo-location data on Facebook Messenger, despite media coverage dating back to 2012" - http://jots.pub/a/2015081101/
