Why should you provide any time to Facebook to respond with regard to a feature that works as intended (but can – like most features – be used for other purposes)?

The report/block function is a classic in this regard: In the best case, it helps Facebook to identify unwanted content. In many other cases, however, enough reports simply lead to the automatic disappearance of maybe controversial but otherwise completely acceptable content. In general, the freedom of speech should of course prevail, i.e., reporting content as well as blocking content should the exception and not the norm.

It took two months for a response for me from their security team, and in the end their team dismissed my bug as a discrepancy in privacy settings (it isn't). For me at least, it's not really worthwhile trying to make an information leak a publicly known fact — nobody really cares.

I've ran into this too... their security team came back with "That's by design".

Not too long afterwards a friend of mine automated it, stuck it up on Google code and it might be fixed now ...

What is the bug you submitted that they dismissed?

Under certain conditions contact information of a friend can be extracted when it logically shouldn't be able to.

Well, for one thing, it feels a lot better to share an 'exploit' publicly than to tell the developers privately.

Especially when it's something like FB. And it sure can boost one's self esteem even by teeny-tiny bit.

That said, I doubt OP waited even 3 minutes before deciding FB is not responding early enough not to post ;)

"Since Facebook hasn't responded yet to my report I've decided to make it public."

jmix is wondering how long OP waited for a response from Facebook before posting this.