The researcher claims that he also found other OAuth-related vulnerabilities that affect Facebook, but declined to reveal any information about them because they haven't been fixed yet.
Facebook runs a bug bounty program through which it pays monetary rewards to security researchers who find and responsibly report vulnerabilities affecting the site.
Goldshlager said on Twitter that he has not yet been paid by Facebook for reporting this vulnerability, but noted that his report included multiple vulnerabilities and that he will probably receive the reward after all of them get fixed.
Facebook pays security researchers very well for finding and reporting bugs, Goldshlager said via email. "I can't say how much, but they pay more then any other bug bounty program that I know."