I mean the fix is toggling a single environmental variable from True to False, on a system that isn't normally accessed by customers, so the risk is really small in rolling out the change.

Sometimes you’re lucky if a company reads your report in this time but of course I would expect and we generally see much better from the likes of Facebook etc

You're right, being able to read, triage and act on something in such a massive system is quiet the accomplishment.

Facebook deploy updates in their prod 10-20 or even more, times a day

They could deploy continuously, but deploying to PROD doesn't include minutes/hours/days/weeks/months of investigation, testing, documentation, verification...

Hopefully they also changed the compromised key.

It took them more than 10 days actually... They just shutdown the instance until they could find a solution.

30.07.2018 00:00 CEST : initial disclosure with every details.

09.08.2018 18:10 CEST : patch in place.