I don't think there's much to see here...it is a cool bug though that doesn't require a super high level understanding of security to figure out.
But a 6-9 month time to fix seems really long (also I would have thought a $1000 bug bounty is low for this type of exploit...but then again I'm not in this space too much to know the average rewards).
The thing to also keep in mind is that the bug bounty teams are typically centralized and not embedded within the product teams of the services being reported on. They certainly get prioritized attention, but there are still layers of communication to report the issue, follow up with devs or reporter if there are questions or difficulties reproducing the issue, prioritize the issue, fix the bug and deploy to prod.
Not to say that’s the way it is at Facebook, just what I’ve seen in the past.
Being charitable here, it may be that this exploit showed a breakage in their internal API security process, or an edge case previously unhandled. Perhaps FB had to run an internal audit to find any other endpoints effected by this bug. Buggy endpoints then need to get fixed, tickets get sent out, but with a low priority because this is a low priority bug, and voilà, 6-9 months.
One could also question whether they used the lure of a bounty to keep someone quiet while they let customers (aka advertisers) continue to benefit for an extra 9 months at the expense of the users.
I guess you'd have to consider Facebook's track record in terms of how charitable vs. cynical you want to be in interpreting their actions.
But a 6-9 month time to fix seems really long (also I would have thought a $1000 bug bounty is low for this type of exploit...but then again I'm not in this space too much to know the average rewards).