Being charitable here, it may be that this exploit showed a breakage in their internal API security process, or an edge case previously unhandled. Perhaps FB had to run an internal audit to find any other endpoints effected by this bug. Buggy endpoints then need to get fixed, tickets get sent out, but with a low priority because this is a low priority bug, and voilà, 6-9 months.
One could also question whether they used the lure of a bounty to keep someone quiet while they let customers (aka advertisers) continue to benefit for an extra 9 months at the expense of the users.
I guess you'd have to consider Facebook's track record in terms of how charitable vs. cynical you want to be in interpreting their actions.
