"If you share details of a security issue with us and give us a reasonable period of time to respond to it before making it public, and in the course of that research made a good faith effort to avoid privacy violations, destruction of data, or interruption or degradation of our service, we will not bring any lawsuit against you or ask law enforcement to investigate you for that research."
I respect my colleagues at Facebook - but I do not think this policy deserves such praise.
The problem is that with extremely rare exceptions, software vendors do not object to being given reasonable notice about a vulnerability - but one of the most significant points of contention between them and the research community is the meaning of that single, special word: "reasonable".
Because of different incentives, businesses have a history of allowing privately reported vulnerabilities to go unresolved for a year or more; and many of the best-known names in the industry have attempted to suppress good-faith attempts to alert the public to their apparent non-responsiveness.
I suspect that Facebook is capable and willing to respond to vulnerability reports promptly, and will not resort to such tricks - but that does not make the policy sound any better. The promise not to sue people who satisfy an unspecified but vendor-defined expectation of "reasonable time" implicitly creates a threat of prosecution in non-compliant cases; and equates them to other, clearly malicious practices listed in that aforementioned paragraph.
There are interesting examples of exceptional, researcher-friendly policies out there; this one doesn't belong, yet.